Calendar
|
May '13 | |||||
| Mon | Tue | Wed | Thu | Fri | Sat | Sun |
| 1 | 2 | 3 | 4 | 5 | ||
| 6 | 7 | 8 | 9 | 10 | 11 | 12 |
| 13 | 14 | 15 | 16 | 17 | 18 | 19 |
| 20 | 21 | 22 | 23 | 24 | 25 | 26 |
| 27 | 28 | 29 | 30 | 31 | ||
Archives
Tag Cloud
#asterisk #asterisk #voip #voip ACLs Active Directory AD ADAM Amanda Asterisk asterisk Benchmark Blog branding call centre callrecording Catalyst Clustering DBIC DBIx-Class Digium Directory Services Disaster Recovery Dojo eDirectory Enterprise Backups Enterprise Directory Fedora Fedora Directory Server Fedora DS Flexitime freeswitch FreeSWITCH IAM Identity Management IDM IP Telephony Isode Jabber Jabber/XMPP JavaScript Kamailio ldap LDAP LDAP Replication LDAP Schema linux Linux M-Vault Microsoft Microsoft FUD MirrorMode MySQL NBD ofcom OID on-hold OpenDS OpenLDAP openldap OpenLDAP Newsletter OpenLDAP Quick Tips OpenSIPS opensips open source Open Source Oracle Oracle Internet Directory PABX Perl pikatechnologies pikawarp PostgreSQL Quad-Core RDBMS Red Hat Replication RT Samba Sendmail SIP sip Squid SSO Sun Sun Microsystems SunOne suretec Suretec suretec telecom surevoip SureVoIP Symas Symas OpenLDAP UC UM Unified Communications VoIP voip X.500 XMPP
Tuesday, December 9. 2008
OpenLDAP Quick Tips: Encrypt your Oracle Berkeley DB if necessary
Hi All,
Here's the 18th tip in the "OpenLDAP Quick Tips" series:
"You need to encrypt the raw bdb files":
This might be useful various reasons:
Here's the 18th tip in the "OpenLDAP Quick Tips" series:
"You need to encrypt the raw bdb files":
This might be useful various reasons:
It may actually provide some value to sites that do regular backups of their raw DB files. It may actually be useful in some cases where you provide an encryption key on separate removable media (e.g. a USB flash drive). It might actually prevent a news article down the road on how some organization lost their 5 million record customer database and now all that unprotected data is now being exploited by criminals.
I doubt it, of course. It exacts a performance penalty on every DB operation, so I don't think anyone will be able to use this long-term. For the off-site backup scenario, it makes more sense to just encrypt the backup images (tar format or whatever backup utility is used). That way you only spend cycles on encryption once, at backup time. Any site that's savvy enough to do automated backups can certainly figure out how to protect those backups with encryption.
Also:
The one place where I could see using this is if one is using OpenLDAP as
the backend to a Kerberos KDC. It's considered best practice right now to
always encrypt the KDC database at rest on disk, and some sites even
require an administrator be present with a USB key to unlock the database
whenever a KDC has to be rebooted. Given the increasing interest in using
LDAP[?] as a backend store for the KDC, this may be a simpler method for
providing equivalent KDC security without encrypting various bits of data
individually
Taking this all into account, what is needed is simply adding to your slapd.conf file:
CODE:
cryptkey testing
Note: there is also a cryptfile option to store the password in a seperate file.
If you already have a directory setup, then exporting your data and importing it again is needed to encrypt the files. A basic slapd.conf file needed would be:
CODE:
include /usr/local/etc/openldap/schema/core.schema
pidfile ./slapd.pid
argsfile ./slapd.args
modulepath /usr/local/libexec/openldap
moduleload back_bdb.la
database bdb
suffix "dc=suretecsystems,dc=com"
rootdn "cn=admin,dc=suretecsystems,dc=com"
rootpw secret
directory ./openldap-data
cryptkey testing
index objectClass eq
Then import your data with slapadd and test with the bdb tools:
CODE:
[ghenry@suretec openldap-data]$ /usr/local/BerkeleyDB.4.7/bin/db_dump objectClass.bdb
db_verify: Encrypted environment: no encryption key supplied
[ghenry@suretec openldap-data]$ /usr/local/BerkeleyDB.4.7/bin/db_dump -P "test" objectClass.bdb
db_verify: Invalid password
[ghenry@suretec openldap-data]$ /usr/local/BerkeleyDB.4.7/bin/db_dump -P "testing" objectClass.bdb
VERSION=3
format=bytevalue
type=btree
chksum=1
duplicates=1
dupsort=1
db_pagesize=4096
HEADER=END
0096defd
00000001
21d9e0af
00000001
62c4d55f
00000001
DATA=END
Things to note:
You need the bdb version that supports encryption, i.e. not the one that has NC in the package name and that the only encrypted parts of a database environment are its databases and its log files. Specifically, the shared memory regions supporting the database environment are not encrypted. For this reason, it may be possible for an attacker to read some or all of an encrypted database by reading the on-disk files that back these shared memory regions.
For more information see the slapd-bdb man page.
Thanks,
Gavin.
If you have an entry for our "OpenLDAP Quick Tips" series, why not e-mail your tip to us.
P.S. For direct access to this section, you can click OpenLDAP Quick Tips.
Posted by Gavin Henry
in OpenLDAP, Open Source, Suretec
at
09:39
| Comments (0)
| Trackbacks (0)
Defined tags for this entry: Directory Services
, Enterprise Backups
, Enterprise Directory
, IAM
, Identity Management
, IDM
, ldap
, LDAP
, LDAP Replication
, LDAP Schema
, Linux
, openldap
, OpenLDAP
, OpenLDAP Newsletter
, OpenLDAP Quick Tips
, Open Source
, Replication
, Suretec
, Symas
, X.500
, Enterprise Backups, Enterprise Directory, IAM, Identity Management, IDM, ldap, LDAP, LDAP Replication, LDAP Schema, Linux, openldap, OpenLDAP, OpenLDAP Newsletter, OpenLDAP Quick Tips, Open Source, Replication, Suretec, Symas, X.500
Trackbacks
Trackback specific URI for this entry
No Trackbacks
Site Feeds
Quicksearch
Comments
Mon, 10.12.2012 09:35
Wed, 21.03.2012 11:47
Wed, 21.03.2012 10:50
Links
Categories
Powered by
