Forum: CFEngine Help Subject: Re: Thoughts of encrypting the entire Cfengine workspace? Author: msvob...@linkedin.com Link to topic: https://cfengine.com/forum/read.php?3,25714,25717#msg-25717
Some responses on the mailing list, so copying / responding here Well arguably if they have root they could see all your stuff anyway. Not necessarly. If they gained root, they would see encrypted data, not stuff in cleartext. I think what your getting at though is that typically all hosts get all policy. So host 1 can see policy that has nothing to do with it. I have played around a little bit with selective policy download but any place you have a place where your covering a setting that could apply differently to multiple classes a node in that class would need that file for the setting and you would be exposing the settings for other classes of machines. I havent thought about it much but its been in the back of my mind wondering what the best way to deal with it is. if you used PGP to encrypt all the policy files each node would still need to be able to decrypt the policy files for evaluation. How would you prevent an attacker from doing the same? -- Nick Anderson _______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine Yeah, I was thinking about this as well.... So, maybe a concept of cf-serverd feeding cf-agent a "shared key" sort of like one of those SecureID tokens that generates a random number every 60 seconds... The shared key between cf-serverd and cf-agent is only valid for 60 seconds or something of that sort. Of course, this would break Cfengine's policy of "the network being unavailable means nothing." Without a network link here for cf-serverd and cf-agent to share a key to decrypt the data, cf-agent wouldn't be able to execute. I think I'm kind of OK with that though. I'd rather have cf-agent execute a NO-OP while the network was unaccessible, but, I can see how that could be undesirable as well.. Maybe there's a better way for cf-serverd and cf-agent to exchange some sort of information that would allow the decryption / execution of cf-agent to actually happen. Other than the occasional password hash I can't think of anything that private that would require such drastic measures. In the case of passwords configuration, a centralized authority, such as Kerberos, would the better approach. Barring that, I might have the policy copy only local secrets to target clients rather than in bulk. So a local crack will only affect that host which is already lost. -- Neil Watson Linux/UNIX Consultant http://watson-wilson.ca Its not just password hashes... Folks are transfering sensitive configurations that either describe how the infrastructure is put together / where things live and how things work / etc. Anyhow, if we encrypt data over the wire, it makes sense to also encrypt it on disk. Having a hacker look around /var/cfengine is just one more step (and much easier to do) than sniffing a network wire hoping to capture un-encrypted network transfers. _______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
