[A bug] enckey / HSM not ready
17 views
Skip to first unread message
Sherif Nagy
Dec 9, 2015, 6:35:49 AM12/9/15
to privacyidea
Hello,
I managed to protect the enckey with the securitymodule and it works fine, I restart apache, the status if false, I type my admin password, then the password for the key, the status is true and everything works fine. However after few hours, I logged in as admin into the system and I was not able to retrieve the user "LDAP" data and the logs shows:
[ERROR][privacyidea.lib.token:387] User information can not be retrieved: ERR707: hsm not ready!
and I have to decrypt the key again. Not sure what causes this.
Regards,
Sherif
Sherif Nagy
Dec 9, 2015, 6:46:45 AM12/9/15
to privacyidea
after a bit of deep investigation, it seems that Debian includes a daily Cron that clear the apache2 cache, will check it, try again and keep you updated.
Sherif
Sherif Nagy
Dec 9, 2015, 6:57:28 AM12/9/15
to privacyidea
Okay, it seems that the logrotate profile for apache2 is the reason, it rotates the logs everyday and then it reloads Apache server and that clears the key from the memory I guess.. any work around :) ?
Sherif
Cornelius Kölbel
Dec 9, 2015, 7:52:42 AM12/9/15
to priva...@googlegroups.com
Hi Sherif,
this works as expected. The key is only accessible for the current
process. The password to encrypt the key is contained in the memory
allocated by the current process.
If you would have the password anywhere else, you would not have to
encrypt the key. You can still rely on the default file access
protection of the encryption key.
You can however increase the logrotate time for apache. Then you would
have to reenter the password only once a week or one a month.
Imagine creating a service, that passes the password to the apache
process. There is no secure way to assure that the apache process and
not another process accesses the password.
What attack scenarios did you want to mitigate in the first place?
Kind regards
Cornelius
> --
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/5d8d081b-0725-4850-8df8-7d01c9e8e822%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
this works as expected. The key is only accessible for the current
process. The password to encrypt the key is contained in the memory
allocated by the current process.
If you would have the password anywhere else, you would not have to
encrypt the key. You can still rely on the default file access
protection of the encryption key.
You can however increase the logrotate time for apache. Then you would
have to reenter the password only once a week or one a month.
Imagine creating a service, that passes the password to the apache
process. There is no secure way to assure that the apache process and
not another process accesses the password.
What attack scenarios did you want to mitigate in the first place?
Kind regards
Cornelius
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/5d8d081b-0725-4850-8df8-7d01c9e8e822%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
Sherif Nagy
Dec 10, 2015, 3:21:26 PM12/10/15
to privacyidea
Hi Cornelius,
Well I moved it to be monthly. Nothing in particular, I am just testing everything with PrivacyIDEA also it would be a good idea to have an encrypted enckey within the offsite backup, I know that can be done via actual encryption which still an option as well.
Regards,
Sherif
Cornelius Kölbel
Dec 10, 2015, 4:06:21 PM12/10/15
to priva...@googlegroups.com
Hi Sherif,
you can backup the encryption key encrypted in any way - e.g. gpg.
You can store it even offline.
You can use
pi-manage backup
to run backups.
Kind regards
Cornelius
> https://groups.google.com/d/msgid/privacyidea/7cd8bfa6-6a3c-47d4-9100-893f268e54aa%40googlegroups.com.
you can backup the encryption key encrypted in any way - e.g. gpg.
You can store it even offline.
You can use
pi-manage backup
to run backups.
Kind regards
Cornelius
Reply all
Reply to author
Forward
0 new messages