[PATCH] Encrypt secret attributes on disk
Andrew Bartlett
abartlet at samba.org
Fri Dec 15 08:37:53 UTC 2017
On Fri, 2017-12-15 at 15:22 +1300, Gary Lockyer via samba-technical
wrote:
> Patch set to encrypt the samba secret attributes on disk. This is
> intended to mitigate the inadvertent disclosure of the sam.ldb file, and
> to mitigate memory read attacks.
>
> Currently the key file is stored in the same directory as sam.ldb but
> this could be changed at a later date to use an HSM or similar mechanism
> to protect the key.
>
> Data is encrypted with AES 128 GCM. The encryption uses gnutls where
> available and if it supports AES 128 GCM AEAD modes, otherwise nettle is
> used.
Thanks Gary,
There are some interesting ways this could be extended, but this is a
really good start.
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
I've pushed it to autobuild.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list