From Fedora Project Wiki
No edit summary
Line 89: Line 89:
=== IPA configuration ===
=== IPA configuration ===


An additional attribute in <code>ipaGuiConfig</code>:
Additional attributes in <code>ipaGuiConfig</code>:


  attributeType ( TBD
  attributeType ( TBD
Line 103: Line 103:


'''Todo:''' Make sure this limitation of automatic packet obsolescence is described in user documentation.
'''Todo:''' Make sure this limitation of automatic packet obsolescence is described in user documentation.
FIXME: current encryption certificate
FIXME: separate LDAP/KRB identity for the "save escrow packet" operation.


=== Questions ===
=== Questions ===


* What ACIs protect <code>ipaVolumeKey</code> entries?  What other access controls are enforced by IPA (apart from the necessity to known the master key passphrase?)  Perhaps a <code>cn=decryptescrowpacket,cn=taskgroups,cn=accounts,dc=...</code> group?
* What ACIs protect <code>ipaVolumeKey</code> entries?  What other access controls are enforced by IPA (apart from the necessity to known the master key passphrase?)  Perhaps a <code>cn=decryptescrowpacket,cn=taskgroups,cn=accounts,dc=...</code> group?
== Use case handling ==
(In all cases, the web interface should provide equivalent functionality to the command-line <code>ipa</code> interface.)
=== Get master key certificate ===
Executed by system administrators to retrieve the master key certificate used for encrypting escrow packets.  The master key certificate itself, or the process of retreiving the certificate, is becomes a component of the escrow process.
* The system administrator uses the <code>ipa</code> command-line client to retrieve the certificate, e.g.:
ipa volume_key-current_cert > master.pem
* The command-line client simply retrieves the current value of the FIXME attribute.  No authentication is necessary.
=== Send a packet to the server ===
Executed automatically as a part of IPA enrollment, or manually (by a site administrator, or by a local user).  The system administrator's command could be e.g.
ipa volume_key-store volume [--create-random-passphrase] [--obsolete-older] [escrow_packet...]
* The client uses <code>libvolume_key</code> to retrieve volume properties, and if no escrow_packet is specified, it creates an escrow packet (for the "default" secret, usually a data encryption key).  If <code>--create-random-passphrase</code> is specified, it sets up an additional random passphrase and created an additional escrow packet for it.
* For each packet (either speicified on the command line, or created so far), the client uses XMLRPC with GSSAPI to connect to the IPA server, sending the volume attributes, the packet, and a flag corresponding to the "--obsolete-older" option.  It uses either the current Kerberos identity of the user, or the machine identity (FIXME: do we need an option to use the machine identity even if the user has a TGT?).
* The server checks the identity of the client: if it is an user identity, it uses the Kerberos identity for LDAP authentication.  If it is a machine identity, it uses a FIXME Kerberos identity for LDAP authentication.
* (The server may limit the number of saved packets, perhaps to 100 or 1000 per host, and refuse adding any more (logging the failure).)
* The server extracts host name from host properties, converts it into a DN for the host.  If the client was authenticated with a machine identity, the server verifies the DN matches the authenticated identity.
* The server creates an ipaVolumeKey LDAP entry.
* If the "obsolete older" flag was specified, the server searches for other packets for the same host DN that do not have an <code>ipaVolumeKeyObsoletionTimestamp</code>, and checks if the volume identification for the new packet matches any of the other packets (probably matching mainly on the volume UUID, but the specifics can be dependent on the volume format).  If it finds any matches, it sets the <code>ipaVolumeKeyObsoletionTimestamp</code> for the obsoleted timestamps to current date.
FIXME: can this be in Python?
=== List packets ===
Executed by a system administrator when recovery is necessary, to choose which packet to recover.  In an interactive environment (e.g. WWW) the "list packets" and "recover a specific packet" operations can be combined.
* The client runs e.g.
ipa volume_key-list [--include-obsolete] hostname
* The client plugin converts hostname into a host DN, and uses it to search for matching <code>ipaVolumeKey</code> LDAP entries.  The search filter matches the host DN, and, unless <code>--include-obsolete</code> is specified, matches absence of the <code>ipaVolumeKeyObsoletionTimestamp</code> attribute.  The client loads all attributes except for <code>ipaVolumeEscrowPacket</code>.
* The client lists the packets, sorted by user-readable volume ID (e.g. the "<code>volume_path</code>" value of <code>ipaVolumeInfo</code>, other volume ID forms can be added later) and by creation time stamp, in that order.  For each packet it shows at least the UUID, volume ID and creation time stamp.  Options for other output formats and different orderings can be added.

Revision as of 16:58, 2 June 2009

Data in LDAP

Escrow packet storage

Stored in ipaUniqueID=..., cn=volume_keys, dc=.... The following information is stored per each packet:

Attribute Meaning and use Comment
Packet ID ipaUniqueID used in the DN dm-crypt volumes do not carry any identifier for distinguishing even between two volumes on a host
Escrow packet A blob containing the encrypted "secret" Size probably 1000–1500 bytes
Host reference Host this packet applies to
"Secret" type Purpose of the packet: data encryption key / passphrase / other
Volume identification Multi-valued: properties of the volume that can be used to identify the correct packet
Packet filing time Time when this packet was sent to the server Provided by the directory server automatically in creationTimestamp
Obsoletion time If this packet stores an obsolete secret, time when the server was notified about it Used for automatic deletion of old secrets

Details: 

attributeType ( TBD
       NAME 'ipaVolumeEscrowPacket' 
       DESC 'An encrypted packet containing a secret used for encrypting the volume'
       SYNTAX 1.3.6.1.4.1.1466.115.121.1.5   # Binary
       SINGLE-VALUE
       X-ORIGIN 'IPA v2' )

attributeType ( TBD
       NAME 'ipaVolumeHost'
       DESC 'Link to the host that contains this volume' SUP memberHost
       SYNTAX 1.3.6.1.4.1.1466.115.121.1.12   # DN
       X-ORIGIN 'IPA v2' )

attributeType ( TBD
       NAME 'ipaVolumeKeySecretType' 
       DESC 'Type of the secret defined in this packet'
       SYNTAX 1.3.6.1.4.1.1466.115.121.1.15   # DirectoryString
       SINGLE-VALUE
       X-ORIGIN 'IPA v2' )

Defined values: "data encryption key" and "passphrase", more can be added in the future. This corresponds to LIBVK_SECRET_* in libvolume_key.h. 

attributeType ( TBD
       NAME 'ipaVolumeInfo' 
       DESC 'Information about a volume: NAME:VALUE'
       SYNTAX 1.3.6.1.4.1.1466.115.121.1.40   # OctetString
       X-ORIGIN 'IPA v2' )

A multi-valued attribute, stores information about the volume that allows the user to select which escrow packet to use. Each value is a NAME:VALUE string, with NAME consisting of characters in [a-zA-z0-9_/]. The expected values include the LIBVKP_VP_IDENTIFICATION properties of the volume reported by libvk_volume_dump_properties, e.g.

Name Value
hostname Host name, as known on the computer
volume_format Volume format, corresponds to LIBVK_VOLUME_FORMAT_* in libvolume_key.h
volume_uuid Volume UUID, using a volume format-specific syntax
volume_label Volume label
volume_path Path to a block special file representing the device on the specified host. The path is not necessarily "canonical". There might be more than one attribute value with this NAME.
luks/passphrase_slot An integer identifying the LUKS slot a passphrase is valid for 
attributeType ( TBD
       NAME 'ipaVolumeKeyObsoletionTimestamp' 
       DESC 'Time when a key was marked as obsolete'
       SYNTAX 1.3.6.1.4.1.1466.115.121.1.24   # GeneralizedTime
       SINGLE-VALUE
       X-ORIGIN 'IPA v2' )

objectClass ( TBD
      NAME 'ipaVolumeKey' 
      SUP top STRUCTURAL
      MUST ( ipaUniqueID $ ipaVolumeHost $ ipaVolumeEscrowPacket )
      MAY ( ipaVolumeKeySecretType $ ipaVolumeInfo $ ipaVolumeKeyObsoletionTimestamp ) 
      X-ORIGIN 'IPAv2>' )

Suggested indices:

  • An equality index on ipaVolumeHost, used to find packets related to a single host. This is sufficient for listing all relevant packets. It should also be sufficient when searching for a specific packet, there will be at most 10 packets per host in the usual case.
  • A presence index on ipaVolumeKeyObsoletionTimestamp, used to identify obsolete keys that should be deleted. Ideally this should be a "b-tree index" (to allow searching for all obsolete packets), but that is not supported by the directory server.

IPA configuration

Additional attributes in ipaGuiConfig: 

attributeType ( TBD
       NAME 'ipaObsoleteEscrowPacketLifetime' 
       DESC 'Number of days before an obsolete escrow packet is deleted (if a newer packet for the same volume is available)'
       SYNTAX 1.3.6.1.4.1.1466.115.121.1.27   # Integer
       SINGLE-VALUE
       X-ORIGIN 'IPA v2' )

Escrow packets with ipaVolumeKeyObsoletionTimestamp older than ipaObsoleteEscrowPacketLifetime are automatically deleted.

Note: This applies only to packets that were recognized by the IPA server as obsoleted by a newer packet. Obsoleted packets will be recognized by volume UUID (or perhaps other volume attribute that is sufficiently unique), which may not be available for all volume formats. If a volume format does not support reliable recognition of obsolete packets, the IPA server will never automatically mark a packet obsolete, and ipaObsoleteEscrowPacketLifetime will only affect packets that were manually marked obsolete by an administrator.

Todo: Make sure this limitation of automatic packet obsolescence is described in user documentation.

FIXME: current encryption certificate

FIXME: separate LDAP/KRB identity for the "save escrow packet" operation.

Questions

  • What ACIs protect ipaVolumeKey entries? What other access controls are enforced by IPA (apart from the necessity to known the master key passphrase?) Perhaps a cn=decryptescrowpacket,cn=taskgroups,cn=accounts,dc=... group?

Use case handling

(In all cases, the web interface should provide equivalent functionality to the command-line ipa interface.)

Get master key certificate

Executed by system administrators to retrieve the master key certificate used for encrypting escrow packets. The master key certificate itself, or the process of retreiving the certificate, is becomes a component of the escrow process.

  • The system administrator uses the ipa command-line client to retrieve the certificate, e.g.:
ipa volume_key-current_cert > master.pem
  • The command-line client simply retrieves the current value of the FIXME attribute. No authentication is necessary.

Send a packet to the server

Executed automatically as a part of IPA enrollment, or manually (by a site administrator, or by a local user). The system administrator's command could be e.g. 

ipa volume_key-store volume [--create-random-passphrase] [--obsolete-older] [escrow_packet...]
  • The client uses libvolume_key to retrieve volume properties, and if no escrow_packet is specified, it creates an escrow packet (for the "default" secret, usually a data encryption key). If --create-random-passphrase is specified, it sets up an additional random passphrase and created an additional escrow packet for it.
  • For each packet (either speicified on the command line, or created so far), the client uses XMLRPC with GSSAPI to connect to the IPA server, sending the volume attributes, the packet, and a flag corresponding to the "--obsolete-older" option. It uses either the current Kerberos identity of the user, or the machine identity (FIXME: do we need an option to use the machine identity even if the user has a TGT?).
  • The server checks the identity of the client: if it is an user identity, it uses the Kerberos identity for LDAP authentication. If it is a machine identity, it uses a FIXME Kerberos identity for LDAP authentication.
  • (The server may limit the number of saved packets, perhaps to 100 or 1000 per host, and refuse adding any more (logging the failure).)
  • The server extracts host name from host properties, converts it into a DN for the host. If the client was authenticated with a machine identity, the server verifies the DN matches the authenticated identity.
  • The server creates an ipaVolumeKey LDAP entry.
  • If the "obsolete older" flag was specified, the server searches for other packets for the same host DN that do not have an ipaVolumeKeyObsoletionTimestamp, and checks if the volume identification for the new packet matches any of the other packets (probably matching mainly on the volume UUID, but the specifics can be dependent on the volume format). If it finds any matches, it sets the ipaVolumeKeyObsoletionTimestamp for the obsoleted timestamps to current date.

FIXME: can this be in Python?

List packets

Executed by a system administrator when recovery is necessary, to choose which packet to recover. In an interactive environment (e.g. WWW) the "list packets" and "recover a specific packet" operations can be combined.

  • The client runs e.g.
ipa volume_key-list [--include-obsolete] hostname
  • The client plugin converts hostname into a host DN, and uses it to search for matching ipaVolumeKey LDAP entries. The search filter matches the host DN, and, unless --include-obsolete is specified, matches absence of the ipaVolumeKeyObsoletionTimestamp attribute. The client loads all attributes except for ipaVolumeEscrowPacket.
  • The client lists the packets, sorted by user-readable volume ID (e.g. the "volume_path" value of ipaVolumeInfo, other volume ID forms can be added later) and by creation time stamp, in that order. For each packet it shows at least the UUID, volume ID and creation time stamp. Options for other output formats and different orderings can be added.
Retrieved from "https://fedoraproject.org/w/index.php?title=Disk_encryption_key_escrow_in_IPA&oldid=105709"