0

I was reading question 180243 which states that using a password vault is the best option for credential storage. However this is rather cumbersome to setup. For a lower security use case (so no PII access or anything really damaging, the credentials are for a system user with limited access), would this be a reasonable security model?

  1. systemd starts a "keyloader" process as root. It reads secrets from a file only root can access and loads them into a keyring with linux-keyutils. It changes the owner of the secrets in the keyring to a service user (we will call "webserver"), then exits
  2. After it exits, systemd starts the webserver process as the webserver user. It retrieves the credentials from the keyring, then deletes them from the keyring after retrieval. It is a long running process. No other processes run as the "webserver" user.

My understanding is that this only has four points of exposure that result in the attacker getting credentials from this server:

  1. The attacker has root access (I am in trouble anyway in this scenario)
  2. The attacker finds a remote code execution vulnerability that specifically applies to the webserver process and retrieves credentials from program memory.
  3. The attacker somehow gets remote code execution as the webserver user at boot and catches the key from keyutils before the webserver process deletes it.
  4. The attacker has physical access (its in a locked room in this context).

Are there exposure points (barring outside factors like the hacker breaking into the server the credentials are used to authenticate with) I am overlooking?

Are there steps I could take to make this model more secure without an unreasonable level of effort on making the implementation?

Improve this question
1
  • 1
    credentials for what? Usually the OS would have it's own secure way of dealing with user credentials. Code doesn't have to have any access to credentials to be run as a specific user/account.
    – browsermator
    CommentedJan 16 at 22:36

1 Answer 1

Reset to default
1

Pretty much the whole point of the kernel keyrings is to avoid keeping the keys in user space longer than necessary, so permanently moving them from the keyring to the webserver process doesn't make much sense. If the webserver has any vulnerability (not necessarily RCE), there's a risk it leaks data from memory – like the keys.

A better approach is to really use the kernel keyring for credentials and not just as some kind of transport mechanism. If you want to automatically load the keys into the keyring when the webserver is first started, this is a separate issue. If you have a TPM on your mainboard or a CPU with firmware TPM (fTPM) support, you can, for example, use Trusted Keys. The keys are encrypted with a persistent TPM key and can then be safely stored as ciphertext on disk. When the webserver is started, it can load the key from the file.

Improve this answer
5
  • I see, my approach really doesn't offer a notable advantage over putting the credentials in the binary since they both have the same problem of keeping the secrets in userspace? I see TPMs referenced a lot as the goto for this sorta thing. However, what stops a different program from fetching it from the TPM? I am not super familiar with how they actually operate.
    – Raven King
    CommentedFeb 4 at 22:41
  • @RavenKing: Userspace programs never see the plaintext key. They can only read the encrypted key on disk and load the key back into kernel space. The kernel then manages which users/groups can use the key (but never exposes the key itself).
    – Ja1024
    CommentedFeb 5 at 1:05
  • I see. Doesn't it get decrypted at some point in order to actually use it though? Does this decrypted version get used outside of userspace in this scenario?
    – Raven King
    CommentedFeb 6 at 7:27
  • @RavenKing: It depends. Cryptographic operations can be performed entirely in the kernel using the Kernel Crypto API. Then there's no reason to ever expose the key to userspace. But if you want to perform the operations in your program, then of course you do have to at least temporarily load the keys from kernel to userspace memory. In this case, the kernel keyring can still ensure that only specific users/groups have access based on the key permissions
    – Ja1024
    CommentedFeb 6 at 8:53
  • Thanks, I will look in that direction of keeping it out of userspace entirely.
    – Raven King
    CommentedFeb 7 at 18:23

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.