[Samba] Encrypted secrets in sam.ldb feature
abartlet at samba.org
Thu Mar 1 22:54:29 UTC 2018
On Thu, 2018-03-01 at 22:34 +0000, Jonathan Hunter via samba wrote:
> Thank you to all the team for the work on this.
> On 1 March 2018 at 20:26, Karolin Seeger via samba <samba at lists.samba.org>
> > [...]
> > Encrypted secrets
> > -----------------
> > Attributes deemed to be sensitive are now encrypted on disk.
> > [...]
> > The key file "encrypted_secrets.key" is created in the same directory
> > as the database and should NEVER be disclosed. It is included by the
> > samba_backup script.
> Can I ask (genuine question) - what is the gain from encrypting the
> secrets, but also keeping the key in the same directory?
Not much :-)
> I am all for encrypting data on disk; I'm just not sure what is gained in
> this scenario. If an attacker has access to the database file, the same
> attacker would also have access to the key, wouldn't they?
> Not that I can think of any alternatives, given that the server does of
> course need the key itself in order to decrypt and use the database - I
> just wanted to understand the thinking behind the feature.
The idea was that the key could be provided by some network protocol.
There are some tools for doing that so a backup or stolen disk would
not include the clear-text secrets. (The long-term key then being
stored somewhere more manual).
We have had a number of arbitrary memory-read bugs in Samba. The goal
was to have the mmap()ed section of memory not disclose keys as
Finally, Encrypting the whole disk would be a good ideas anyway, but
falls to the same issue of key management.
> (Also - the notes state that an in-place upgrade won't encrypt the
> database.. is there a command-line way to trigger an encrypt, should it be
No, we didn't implement that. Most folks upgrade by joining a new DC
to the domain so we avoided the extra work.
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT
More information about the samba