Storing secrets in Linux
We need to store an encryption key on Linux & Windows. On Windows, the decision is pretty much trivial, you throw that into DPAPI, and can rely on the operating system to handle that for us. In particular, it is very easy to analyze key scenarios such as “someone stole the hard disk” and say that either the thief wouldn’t be able to get the plain text key, or we can blame Microsoft for that .
On Linux, the situation seems to be much more chaotic. There is libsecret, which seems to be much wider in scope than DPAPI. Whereas DPAPI has 2 methods (protect & unprotect), libsecret has a lot of moving pieces, which is quite scary. That is leaving aside the issue of having no managed implementation and having to dance around Gnome specific data types in the API (need to pass GCancellable & GError into it) which increase the complexity.
Other options include using some sort of hardware / software security modules (such as HashiCorp Vault), which is great in theory, but requires us to either take a dependency on something that might not be there, or try to support a wide variety of options (Keywhiz, Chef, Puppet, CloudHSM, etc). That isn’t a really good alternative from our point of view.
Looking into how Mono implemented the DPAPI on Linux, they did it by writing a master key to an XML file and relied on file system ACLs to prevent anyone from seeing that information. This end up being this:
chmod(path, (S_IRUSR | S_IWUSR | S_IXUSR) );
Which has the benefit of only allowing that user to access it, but given that I’ve gotten the physical disk, I’m able to easily mount that on machine that I control as root and access anything that I like. On Windows, by the way, the way this is prevented is that the user must have logged in, and a key that is derived from their password is used to decrypt all protected data as needed, so without the user logging in, you cannot decrypt anything. For that matter, even the administrator on the machine can’t recover the data if they want to, because resetting the user’s password will cause all such information to be lost.
There is the Gnome.Keyring project as well, which hasn’t been updated in 7 years, and obviously doesn’t support the kwallet (which libsecret does). OWASP seems to be throwing the towel there and just recommend to rely on the file system ACL.
The Linux Kernel has a Key Retention API, but it seems to be targeted primarily toward giving file systems access to the secrets they need, and it looks like it isn’t going to survive reboots (it is primarily a caching mechanism, it looks like?).
So after all this research, I can say that I don’t like libsecret, it seems too cumbersome and will need users to jump through some hoops in some cases (install additional packages, setup access, etc).
Setting up the permissions via the ACL seems to be the common way to handle this scenario, but it doesn’t sit well with me.
Any recommendations?
Comments
Even with full disk encryption, in a scenario where the server can simply reboot and the database is starting up on its own, is it even possible to protect against hard drive theft? There is probably a reason why the typical data centers have such high physical access restrictions?
Fabian, If you are looking at a live server, then the access policies / etc will handle that. The problem is when you can attach the disk to a machine you control, and then access the raw data directly
" seems too cumbersome and will need users to jump through some hoops in some cases (install additional packages, setup access, etc). " All in a day's work for a Linux admin. Maybe make libsecret optional and use ACLs if not installed. There are people who will jump through hops and some wont.
Pop Catalin, I'm trying to treat admins like my friends, not my peons. :-) And having that as an option is not something that I really want. Options are bad for you, and open you up to a lot of complexity.
Since secret management is something that can vary from shop to shop, maybe this should be a plugin? That way, if a shop does use Vault, for instance, then they can maintain consistency in secrets management.
Richard, Plugins / options is problematic to a certain degree, because it opens up a lot of complexity. Given the typical behavior of shops with secret management, it is easier to have them use encfs to store the master key, and load that using their own secret management software /hardware at load time using their own method.
That is easy to script and give you a lot of freedom, but at the same time, doesn't require us to support a specific interface, or the admin to start writing extensions to RavenDB itself
Comment preview