Web lists-archives.com

[Samba] Encrypted secrets in sam.ldb feature

On Thu, 2018-03-01 at 22:34 +0000, Jonathan Hunter via samba wrote:
> Thank you to all the team for the work on this.
> On 1 March 2018 at 20:26, Karolin Seeger via samba <samba@xxxxxxxxxxxxxxx>
> wrote:
> > [...]
> > 
> > Encrypted secrets
> > -----------------
> > 
> > Attributes deemed to be sensitive are now encrypted on disk.
> > [...]
> > The key file "encrypted_secrets.key" is created in the same directory
> > as the database and should NEVER be disclosed.  It is included by the
> > samba_backup script.
> > 
> Can I ask (genuine question) - what is the gain from encrypting the
> secrets, but also keeping the key in the same directory?

Not much :-)

> I am all for encrypting data on disk; I'm just not sure what is gained in
> this scenario. If an attacker has access to the database file, the same
> attacker would also have access to the key, wouldn't they?
> Not that I can think of any alternatives, given that the server does of
> course need the key itself in order to decrypt and use the database - I
> just wanted to understand the thinking behind the feature.

Two things:

The idea was that the key could be provided by some network protocol. 
There are some tools for doing that so a backup or stolen disk would
not include the clear-text secrets.  (The long-term key then being
stored somewhere more manual).

We have had a number of arbitrary memory-read bugs in Samba.  The goal
was to have the mmap()ed section of memory not disclose keys as

Finally, Encrypting the whole disk would be a good ideas anyway, but
falls to the same issue of key management.

> (Also - the notes state that an in-place upgrade won't encrypt the
> database.. is there a command-line way to trigger an encrypt, should it be
> wanted?)

No, we didn't implement that.  Most folks upgrade by joining a new DC
to the domain so we avoided the extra work.

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba