In the message dated: Wed, 24 Aug 2011 20:44:37 PDT,
The pithy ruminations from da...@lang.hm on
<Re: [lopsa-tech] MySQL and Encryption> were:
As will be abundantly clear in a few more words, I am not a crypto-expert...
=>
=> it only protects against the machine being stolen if the decryption key is
=> not also stored on the machine. This would mean that there needs to be a
=> manual step (either to enter the key or to unlock the key) every time the
=> machine boots. Since nobody does that (everyone wants the machine to boot
=> up without requireing a sysadmin login to it) it's snake oil in that case
=> as well.
=>
I've been wondering about this problem. Why not have the database server use
public key encryption (unattended, automated, at boot time) to connect to
another machine in order to retrieve the decryption key? The db server would
have a public key from the other machine, and visa-versa. This would ensure
the authenticity of the two machines, and allow them to transfer keys.
I'm envisioning something like:
dbserver boots up
dbserver encrypts message using the keyservers public key, requesting
database decryption keys
dbserver sends message to the keyserver
keyserver decrypts message, using it's own private key. If the message
is from a valid source, and if the request is valid (ie., if the
particular dbserver is allowed to get the key for the specified
database), then the keyserver encrypts the key using the dbserver's
public key and sends it to the dbserver
the dbserver receives the key, decrypts it, and uses it to unlock the
database, then "throws away" they key (overwrites that block of
memory)
Vulnerabilities:
the keyserver service is now a SPoF
there's a greater chance for a DoS by blocking communication to/from
the keyserver
the decrypted key could be read from memory on the dbserver (same
level of vulnerability as already exists)
Benefits
centralized key management & authorization for "N" database (or other
service) machines, connecting to one keyserver service (HA clustered,
etc.).
Easy management to invalidate access from remote machines.
Manual key entry required on the "single" keyserver at boot time, as
opposed to manual key entry on "N" distinct servers.
This scheme probably has more holes than a piece of Swiss cheese...but it may
be better than the alternatives of putting keys into text files to be read at
boot time, or manually entering many keys on different machines at 3AM.
What do you think?
Mark
=>
=> David Lang
=>
=>
_______________________________________________
Tech mailing list
Tech@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
http://lopsa.org/
