[Freeipa-devel] Encrypting replica information
Rob Crittenden
rcritten at redhat.com
Mon May 5 14:05:35 UTC 2008
Simo Sorce wrote:
> When we create a replica file we include in it very security sensitive
> information. Then we tell the admin to move it to another machine and
> use it.
> This info is not cleared from the main server, and it may be forgotten
> in a tmp directory on the target server.
>
> Given we need to ask for the Directory Manager password to be able to
> install the replica I was thinking it could be a good idea to encrypt
> the replica information with the same password and decipher the data
> only at installation time, making sure we clean up any temporary file.
>
> This also implicitly proves the Directory Manager password is correct
> even before trying to connect to the other server catching an error in
> that sense very early on.
>
> What do you think?
>
> Simo.
>
Seems reasonable. Can you file a bug?
thanks
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20080505/6b99f6a1/attachment.bin>
More information about the Freeipa-devel
mailing list