Hi Sherif,
this works as expected. The key is only accessible for the current
process. The password to encrypt the key is contained in the memory
allocated by the current process.
If you would have the password anywhere else, you would not have to
encrypt the key. You can still rely on the default file access
protection of the encryption key.
You can however increase the logrotate time for apache. Then you would
have to reenter the password only once a week or one a month.
Imagine creating a service, that passes the password to the apache
process. There is no secure way to assure that the apache process and
not another process accesses the password.
What attack scenarios did you want to mitigate in the first place?
Kind regards
CorneliusAm Mittwoch, den 09.12.2015, 03:57 -0800 schrieb Sherif Nagy:
Okay, it seems that the logrotate profile for apache2 is the reason,
it rotates the logs everyday and then it reloads Apache server and
that clears the key from the memory I guess… any work around ?
Sherif
On Wednesday, December 9, 2015 at 11:46:45 AM UTC, Sherif Nagy wrote:
after a bit of deep investigation, it seems that Debian
includes a daily Cron that clear the apache2 cache, will check
it, try again and keep you updated.
Sherif
On Wednesday, December 9, 2015 at 11:35:49 AM UTC, Sherif Nagy wrote:
Hello,
I managed to protect the enckey with the
securitymodule and it works fine, I restart apache,
the status if false, I type my admin password, then
the password for the key, the status is true and
everything works fine. However after few hours, I
logged in as admin into the system and I was not able
to retrieve the user "LDAP" data and the logs shows:
[ERROR][privacyidea.lib.token:387] User information
can not be retrieved: ERR707: hsm not ready!
and I have to decrypt the key again. Not sure what
causes this.
Regards,
Sherif
–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/5d8d081b-0725-4850-8df8-7d01c9e8e822%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
signature.asc (836 Bytes)