[Freeipa-devel] Password Vault Implementation
Simo Sorce
simo at redhat.com
Thu Jul 31 22:34:08 UTC 2014
On Thu, 2014-07-31 at 16:13 -0500, Endi Sukma Dewata wrote:
> On 7/31/2014 1:30 PM, Simo Sorce wrote:
> >>>> http://www.freeipa.org/page/V4/Password_Vault_Implementation
>
> > I was thinking whether we should use a single attribute for each vault,
> > and format the data within the vault as a json blob, to organize the
> > data within the blob.
> >
> > This would allow us to encrypt everything including names and
> > descriptions of the single secrets. This way we also do not need to
> > verify the password, as there is a single encrypted blob and not
> > multiple ones.
>
> > I am more concerned about an admin just seeing the secrets descriptions,
> > or someone finding a backup etc...
> > I was considering the vault as a unit to which either you have or not
> > access based on encryption, not on access control done in LDAP. See
> > above my proposal also that goes in this direction.
>
> The "compartment" concept was actually proposed by Dmitri to help manage
> the secrets. I translated that into "vault" since a vault is essentially
> a compartment.
>
> We can certainly change the design to use separate password for each
> secret. But suppose you have many secrets, you will be responsible to
> remember the password for each secret. Would that be a reasonable
> requirement for people in general? Encrypting the secret metadata is a
> separate issue, we can do that either way. See comments below.
>
> Vault as a compartment will help reduce that burden by using the same
> password for multiple secrets. It also can help if you're sharing
> multiple secrets with the same group of people. You can also create
> separate vaults for each secret if necessary, or the server can be
> configured to limit the number of secrets in each vault.
I think you misunderstood what I was proposing.
I was proposing the vault is the unit of encryption, as a single blob of
data. But the vault would still contain multiple secrets, simply
formatted into a json object.
Something like:
plaintext:
{
{ id: "email",
data: "Passw0rd",
description: "my email password"
},
{ id: "redhat.com",
data: "Secret5",
description: "redhat.com website password"
},
...
}
> >> Or we can make the access control more granular. Only owners can see the
> >> list of secrets.
> >
> > I am not sure listing the secrets within the vault w/o decrypting the
> > vault is necessarily valuable.
>
> Any concern about the crypto operations being computationally expensive,
> or retrieving the whole blob just to see the metadata would waste bandwidth?
How big do you think the vault would be ?
It is not meant to contain anything more than a bunch of passwords, do
we really have a problem if the blob is a few tens of kilobytes ?
> Even if we encrypt individual secrets with the metadata, the secret name
> itself will still be visible to the admin, and it might give out clues
> as to what is in the secret. You can use cryptic names for the secrets,
> but you'll have to maintain it on your own.
Only if you have separate objects per secret which is what I was arguing
against.
> Let's see if the analogy with safe deposit box in a bank makes sense:
>
> 1. Use one box (vault) to store multiple items (secrets). You will have
> one key (vault password) and you will need it to see what's inside.
This is what I am proposing indeed.
> 2. Like #1, but the bank keeps a list of items (metadata) in the box and
> only share it with authorized people (vault members). You can identify
> yourself as a member with an ID (Kerberos principal), but you still need
> a key (vault password) to get the items.
I do not like this much :)
> 3. Use a separate box to store each item (separate password for each
> secret). You will have to manually keep track which key for which box/item.
This is really bad, not advocating at all.
> >>> * Why services are in the /shared/ namespace ?
> >>
> >> Services don't seem to be something that you want to associate with a
> >> specific user.
> >
> > Not with a user, with a service.
> > /services/openvpn at foo.example.com/
>
> We probably can add new commands (or repurpose the commands) to manage
> the namespace. So initially there will be /users and /shared, but you
> can add others such as /services.
>
> >> So in that case it's put under the /shared namespace.
> >> Even so, the vault membership can still be limited to certain
> >> users/service instances. Being in /shared doesn't mean it's open for public.
> >
> > Understood, but if you have the same "service" on multiple machines then
> > it quickly becomes difficult to sort it out, I would prefer a logic
> > similar that of the user, just with fully qualified service names under
> > a /services/ namespace
>
> The vault namespace is hierarchical, so you can organize it in any way
> you want:
> * /services/<service name>@<server name>
> * /shared/services/<server name>/<service name>
>
> In the current wiki page the service admin can pick the vault name
> (/shared/services is just an example), but the secret names in it are
> generated from the service principal (to make sure the service admin and
> the service instance use the same secret name).
Given service passwords is an actual use case I think /services should
be a top level namespace available by default.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list