[keycloak-dev] Storage protection

Bill Burke bburke at redhat.com
Mon Jan 27 11:59:03 EST 2014 


On 1/27/2014 11:47 AM, Bruno Oliveira wrote:
> Hi Bill, some answers inline. I forgot to add references.
>
> --
> abstractj
>
> On January 27, 2014 at 1:53:39 PM, Bill Burke (bburke at redhat.com) wrote:
>>> More comments inline responding to Bruno's email:
>>
>>>> # 1
>>>> - HSM or Java Security manager are perfect, but impractical
>> for regular devs, that would require a lot of maintanance (a dream)
>>>>
>>
>> What is HSM? How could the Java Security Manager protect clear
>
> http://en.wikipedia.org/wiki/Hardware_security_module
>
>> text
>> private keys and OTP keys?
>
> With Java Security Manager is possible to restrict code privileges to the resource specified (https://access.redhat.com/site/documentation/en-US/JBoss_Enterprise_Application_Platform/5/html/Security_Guide/chap-Java_EE_Security_Manager.html).
>

For the security manager, this is a compliment to other storage 
protection mechanisms and not a replacement, correct?

>>
>>
>>>> # 2
>>>> - Entering a password for a PKCS#8/PBKDF2-derived key, also
>> impractical assuming that someone would be required to enter
>> the password at each app startup
>>>>
>>>> # 3
>>>>
>>>> - Not bullet-proof solution, but store the key into a text file
>> that only sysadmins and the web server has access, doing our best
>> with the usage of ACLs provided by environment. I understand
>> Bill's concern (http://lists.jboss.org/pipermail/keycloak-dev/2014-January/001089.html)
>> but at the same time, a file could have a very restricted access
>> while the database is more acessible to developers.
>>>> -
>>
>>
>> Stian suggested having an SPI for this sort of feature. Either
>> a
>> password would be required at Keycloak server startup, or the
>> password
>> would be stored in a property file.
>
> Is not the same thing, but do you mean something like Maven does? (http://maven.apache.org/guides/mini/guide-encryption.html). Maybe a “master password” and have some sorta of keychain? For example:
>

Each realm needs it's own key-pair.

> 1. Master password generates the symmetric key
> 2. Encrypt the key pairs
> 3. Decrypt the key pairs on the fly for digital signatures for example.
>
> That’s what do you mean?
>

There would be a master password (or key) that is used to encrypt clear 
text items in the database.  password would be entered from command line 
at startup, or grabbed from a secure property file.

I think that's the approach we should take.  Unless you can argue for a 
better solution?

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-dev mailing list