diff options
author | Gary Lockyer <gary@catalyst.net.nz> | 2017-12-15 07:21:10 +1300 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2017-12-18 00:10:16 +0100 |
commit | 1d3ae2d92f40567910303205da090fc86c7351b8 (patch) | |
tree | 0f140e4c738800c2b25711f20baf97f3a9a95afa /source4/selftest | |
parent | b29ab3a0c16b2f1abed89b41c92c446e8fe59f9b (diff) | |
download | samba-1d3ae2d92f40567910303205da090fc86c7351b8.tar.gz |
dsdb encrypted secrets module
Encrypt the samba secret attributes on disk. This is intended to
mitigate the inadvertent disclosure of the sam.ldb file, and to mitigate
memory read attacks.
Currently the key file is stored in the same directory as sam.ldb but
this could be changed at a later date to use an HSM or similar mechanism
to protect the key.
Data is encrypted with AES 128 GCM. The encryption uses gnutls where
available and if it supports AES 128 GCM AEAD modes, otherwise nettle is
used.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'source4/selftest')
-rwxr-xr-x | source4/selftest/tests.py | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index 1c5714d8a7f..0a0bc931908 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -1008,3 +1008,5 @@ for env in ["ad_dc_ntvfs", "ad_dc", "fl2000dc", "fl2003dc", "fl2008r2dc", 'vampi # plantestsuite("samba4.dsdb.samdb.ldb_modules.unique_object_sids" , "none", [os.path.join(bindir(), "test_unique_object_sids")]) +plantestsuite("samba4.dsdb.samdb.ldb_modules.encrypted_secrets", "none", + [os.path.join(bindir(), "test_encrypted_secrets")]) |