Questions about encrypting enckey
41 views
Skip to first unread message
Sherif Nagy
Dec 4, 2015, 5:03:59 AM12/4/15
to privacyidea
Hello,
So I am thinking to encrypt my encKey with a password, however I have few questions:
1- This will encrypt the current key, will not generate a new key ? so I don't lose the tokens and data in the Database already
2- When I start the service using systemctl or service " I am using deb privacyidea-apache2 package, will that work and asks me to decrypt the enckey ? if not, how I can decrypt the enckey in this case ?
Regards,
Sherif
Cornelius Kölbel
Dec 4, 2015, 5:21:05 AM12/4/15
to priva...@googlegroups.com
Hi Sherif,
take a look here:
http://privacyidea.readthedocs.org/en/latest/installation/system/securitymodule.html?highlight=securitymodule
To encrypt the enckey, you can use the script
pi-manage encrypt_enckey <filename>
This will not overwrite the file. The encrypted data will be written to
stdout. You can either pipe these or paste it.
You may also want to make a backup of the encryption key, anyway!
When you restart the apache it will start quite normal.
But at certain points, when data needs to be encrypted or decrypted you
will get the error:
ERR707: hsm not ready!
You can also check this at the command line after (re)-starting the
apache:
# privacyidea -U https://localhost/pi --admin=super --nosslcheck \
securitymodule
Please enter password for 'super':
This is the configuration of your active Security module:
{ u'status': True, u'value': { u'is_ready': False}}
"is_ready": False shows you, that the encryption key is not ready to be
used.
So you need to run:
# privacyidea -U https://localhost/pi --admin=super --nosslcheck \
securitymodule --module=default
Please enter password for 'super':
Please enter password for security module 'default':
Setting the password of your security module default
{ u'status': True, u'value': { u'is_ready': True}}
Now, "is_ready": True shows you, that the encryption key can be used by
privacyIDEA...
Take care and do backups ;-)
I do not know, who uses it productively at the moment.
Kind regards
Cornelius
> --
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/d4e7e11b-0b96-476e-a36c-b7189cc6e339%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
take a look here:
http://privacyidea.readthedocs.org/en/latest/installation/system/securitymodule.html?highlight=securitymodule
To encrypt the enckey, you can use the script
pi-manage encrypt_enckey <filename>
This will not overwrite the file. The encrypted data will be written to
stdout. You can either pipe these or paste it.
You may also want to make a backup of the encryption key, anyway!
When you restart the apache it will start quite normal.
But at certain points, when data needs to be encrypted or decrypted you
will get the error:
ERR707: hsm not ready!
You can also check this at the command line after (re)-starting the
apache:
# privacyidea -U https://localhost/pi --admin=super --nosslcheck \
securitymodule
Please enter password for 'super':
This is the configuration of your active Security module:
{ u'status': True, u'value': { u'is_ready': False}}
"is_ready": False shows you, that the encryption key is not ready to be
used.
So you need to run:
# privacyidea -U https://localhost/pi --admin=super --nosslcheck \
securitymodule --module=default
Please enter password for 'super':
Please enter password for security module 'default':
Setting the password of your security module default
{ u'status': True, u'value': { u'is_ready': True}}
Now, "is_ready": True shows you, that the encryption key can be used by
privacyIDEA...
Take care and do backups ;-)
I do not know, who uses it productively at the moment.
Kind regards
Cornelius
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/d4e7e11b-0b96-476e-a36c-b7189cc6e339%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
Sherif Nagy
Dec 4, 2015, 7:41:05 AM12/4/15
to privacyidea
Hi Cornelius,
I did try the following command " still did not encrypt my key yet, and I am getting the following error:
#privacyidea -U https://localhost --admin=admin --nosslcheck securitymodule
/usr/lib/python2.7/dist-packages/urllib3/connectionpool.py:732: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html (This warning will only appear once by default.)
InsecureRequestWarning)
This is the configuration of your active Security module:
Traceback (most recent call last):
File "/usr/bin/privacyidea", line 1321, in <module>
main()
File "/usr/bin/privacyidea", line 1317, in main
args.func(args, client)
File "/usr/bin/privacyidea", line 683, in securitymodule
r1 = client.securitymodule(param={})
File "/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py", line 226, in securitymodule
return self.connect('/system/setupSecurityModule', param)
AttributeError: 'privacyideaclient' object has no attribute 'connect'
Any idea what might be the issue ?
Regards,
Sherif
Cornelius Kölbel
Dec 4, 2015, 8:16:11 AM12/4/15
to priva...@googlegroups.com
Hi Sherif,
you need at least version 2.7dev1.
Hm, should release privacyideaadm 2.7... :-/
I guess you have 2.5?
Oh, it is not available from launchpad ppa:privacyidea/privacyidea-dev
(will just upload)
Or you can install it via pip.
Kind regards
Cornelius
> https://groups.google.com/d/msgid/privacyidea/9b251fd2-be6d-45f4-9d47-42f7e142166b%40googlegroups.com.
you need at least version 2.7dev1.
Hm, should release privacyideaadm 2.7... :-/
I guess you have 2.5?
Oh, it is not available from launchpad ppa:privacyidea/privacyidea-dev
(will just upload)
Or you can install it via pip.
Kind regards
Cornelius
Sherif Nagy
Dec 4, 2015, 9:28:16 AM12/4/15
to privacyidea
Hi Cornelius,
Oh yep the privacyideaadm is 2.5 :/ will update now :) thank you
Oh yep the privacyideaadm is 2.5 :/ will update now :) thank you
Sherif
Sherif Nagy
Dec 4, 2015, 10:02:03 AM12/4/15
to privacyidea
Hello again,
So before encrypting the enckey, I am getting securitymodule value true "after upgrading to 2.7devX, I encrypt the enckey, paste the data and replace the file, restart Apache, run again the command to check the status " should be false or HSM not ready, but I am getting the below error:
Traceback (most recent call last):
File "/usr/bin/privacyidea", line 1467, in <module>
main()
File "/usr/bin/privacyidea", line 1462, in main
no_ssl_check=args.nosslcheck)
File "/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py", line 96, in __init__
self.set_credentials(username, password)
File "/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py", line 129, in set_credentials
raise Exception("Invalid Credentials: %s" % r.status_code)
Exception: Invalid Credentials: 400
main()
File "/usr/bin/privacyidea", line 1462, in main
no_ssl_check=args.nosslcheck)
File "/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py", line 96, in __init__
self.set_credentials(username, password)
File "/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py", line 129, in set_credentials
raise Exception("Invalid Credentials: %s" % r.status_code)
Exception: Invalid Credentials: 400
and the admin password is correct, I replace the encrypted key file with none encrypted , restart apache and try again to check the status, and I get True.
Do I need to re-add the admin user ?
Regards,
Sherif
Cornelius Kölbel
Dec 4, 2015, 10:06:09 AM12/4/15
to priva...@googlegroups.com
Is this a local admin?
Or is it an admin in a superuser-realm?
If it is a local admin, which was added by
pi-manage admin
it should(TM) work, since the encryption keys are not used in this case.
If it is an admin in a superuser-realm in e.g. an LDAP, it will not
work, since PI can not decrypt the LDAP password to find the admin in
the LDAP.
Kind regards
Cornelius
> https://groups.google.com/d/msgid/privacyidea/799090b8-3ca3-48de-a48e-02d9943a0e8d%40googlegroups.com.
Or is it an admin in a superuser-realm?
If it is a local admin, which was added by
pi-manage admin
it should(TM) work, since the encryption keys are not used in this case.
If it is an admin in a superuser-realm in e.g. an LDAP, it will not
work, since PI can not decrypt the LDAP password to find the admin in
the LDAP.
Kind regards
Cornelius
Sherif Nagy
Dec 4, 2015, 10:18:51 AM12/4/15
to privacyidea
It's the local admin that has been added by pi-manage admin command
Sherif
Cornelius Kölbel
Dec 4, 2015, 10:25:06 AM12/4/15
to priva...@googlegroups.com
Hi Sherif,
So for some reason the server returns an error.
I could image due to some things it is doing _before_ checking the
admins password. And in doing this stuff, it might run into a problem,
since the encryption key does not exist, yet.
E.g. this could be some policies, which need the encryption key when
being checked.
So can you please tell, what policies you have defined and also take a
look into the servers log file?
THanks a lot
Cornelius
> https://groups.google.com/d/msgid/privacyidea/bf13cc4c-f993-4d4f-abd3-6573915962a8%40googlegroups.com.
So for some reason the server returns an error.
I could image due to some things it is doing _before_ checking the
admins password. And in doing this stuff, it might run into a problem,
since the encryption key does not exist, yet.
E.g. this could be some policies, which need the encryption key when
being checked.
So can you please tell, what policies you have defined and also take a
look into the servers log file?
THanks a lot
Cornelius
Sherif Nagy
Dec 4, 2015, 10:29:35 AM12/4/15
to privacyidea
okay let me disable the policies and will let you know if it works or not and which policies I have :)
Sherif
Sherif Nagy
Dec 4, 2015, 10:45:02 AM12/4/15
to privacyidea
Hi Cornelius,
I guess I knew what is wrong, so here is what I have done:
- Disabled all the policies " I have the one for u2f auth, weblogin and one for users login " and still got the same error.
- Take out the usersresolvers from the default realm and the decryption of the key will work like a charm.
- I have LDAP resolver and passwd one, I noticed just a message in the log says looking for /etc/passwd in /home/privacyidea, that is why I thought to disable the usersource.
So I guess the realm usersources runs before the local admin ones ?
Regards,
Sherif
Cornelius Kölbel
Dec 4, 2015, 10:54:23 AM12/4/15
to priva...@googlegroups.com
Hi Sherif,
thanks a lot for the details.
I can confirm this.
If the default realm contains an LDAP-Resolver with a BIND-PW you can
not login with a local administrator.
https://github.com/privacyidea/privacyidea/issues/280
I will dig into this.
Kind regards
Cornelius
> https://groups.google.com/d/msgid/privacyidea/a583bfc2-d95f-4eae-a67d-ab0032846c1d%40googlegroups.com.
thanks a lot for the details.
I can confirm this.
If the default realm contains an LDAP-Resolver with a BIND-PW you can
not login with a local administrator.
https://github.com/privacyidea/privacyidea/issues/280
I will dig into this.
Kind regards
Cornelius
Sherif Nagy
Dec 4, 2015, 11:03:12 AM12/4/15
to privacyidea
Hi Cornelius,
Just to confirm, I created an empty realm and set it as default, and the decyrption of the enckey works. so it seems the system checking the user's realm before the local admin.
Regards,
Sherif
Cornelius Kölbel
Dec 4, 2015, 11:06:42 AM12/4/15
to priva...@googlegroups.com
It is this line:
https://github.com/privacyidea/privacyidea/blob/master/privacyidea/api/auth.py#L188
When the user object is created with a loginname and the realmname, it
also checks in which resolver in the realm the user is located.
To get a user object consisting of loginname, realmname and
resolvername.
In this case, it can not check the LDAP resolver, since it can not
access the BIND PW.
Kind regards
Cornelius
> https://groups.google.com/d/msgid/privacyidea/14cc0121-09da-42aa-ba7b-284fe0152ee7%40googlegroups.com.
https://github.com/privacyidea/privacyidea/blob/master/privacyidea/api/auth.py#L188
When the user object is created with a loginname and the realmname, it
also checks in which resolver in the realm the user is located.
To get a user object consisting of loginname, realmname and
resolvername.
In this case, it can not check the LDAP resolver, since it can not
access the BIND PW.
Kind regards
Cornelius
Reply all
Reply to author
Forward
0 new messages