Safely Stored

Passwords need to be long, contain as many characters as possible, and use special characters and numbers. If you do this, then your password is secure, but unfortunately very hard to remember. Consequently, there are a variety of tools that let you deposit hard-to-remember passwords in a type of safe. The safe in turn is protected by a master password, and the passwords it contains are only released if you enter the password correctly. However, the user is then usually given access to the complete inventory of the safe. In the open source world, the KeePass [1] tool is a well-known candidate for this job.

Key Recovery Agent

Key Recovery Agents (KRAs) offer a different type of password safe. They are often part of a larger identity management solution, offering both users and services different forms of password safes – known as password vaults [2]. These are then available not only locally on a client, but throughout the network. The idea is that lost private user keys can be restored, since a copy is deposited in the password safe.

Version 4.2 or newer of the FreeIPA Identity Management framework also features password vaults, where you can store all sorts of data safely. When the data are stored, they are encrypted with a session key. If necessary, this is encoded with another symmetric or asymmetric key. The result is a package consisting of the actual secret (the data) and the keys used. Both together are encrypted again with the public key of the KRA instance and sent to the FreeIPA system, where the whole package is unpacked with the KRA instance's private key. The KRA instance thus gains access to the keys and the actual secret. The secret is again encoded with a storage key, before it is finally deposited on the LDAP back end. An escrow officer can gain access to a safe so that decryption of the data is still possible even if the owner no longer knows the password for accessing the safe.

Architecture

For this KRA function, FreeIPA uses a subsystem of the built-in Dogtag Certificate System. The system is known as the Data Recovery Manager (DRM) and can be installed in addition to the actual FreeIPA setup:

# dnf install ipa-kra-install

Three types of safes are available:

• The Standard Vault only encrypts data with a random session key.
• The Symmetric Vault encrypts the data once again with an arbitrary password; this is the default safe.
• The Asymmetric Vault uses an additional public key, on top of the session key, to encrypt the data; the matching private key is required to decrypt.

These three safe types can be used in three different containers. In their user container, each user can create any number of safes to store data safely. Safes are visible only to that user. Administrators can create shared containers. Since services also work with private data, these are assigned their own service containers where they can store encrypted data. Access to the service containers is then possible after successful authentication of a service – for example using a Kerberos ticket.

Creating Safes

To use a safe, a user just has to authenticate once before creating a safe:

# kinit tscherf
Password for tscherf@EXAMPLE.COM:
# ipa vault-add company-cc --desc "My company's credit card data" --type symmetric

The first safe has now been created. To store data in it, you can pass in a file to the tool:

# ipa vault-archive company-cc --in ~/company-cc.txt

To retrieve the data, just reverse the process:

# ipa vault-retrieve company-cc --out ~/company-cc.txt

If necessary, several safes can be created in the same container, which users can then view using ipa vault-find.