git.samba.org - garming/samba-autobuild/.git/commit

author	Gary Lockyer <gary@catalyst.net.nz>
	Thu, 14 Dec 2017 18:21:10 +0000 (07:21 +1300)
committer	Andrew Bartlett <abartlet@samba.org>
	Sun, 17 Dec 2017 23:10:16 +0000 (00:10 +0100)
commit	1d3ae2d92f40567910303205da090fc86c7351b8
tree	0f140e4c738800c2b25711f20baf97f3a9a95afa	tree
parent	b29ab3a0c16b2f1abed89b41c92c446e8fe59f9b	commit \| diff

dsdb encrypted secrets module

Encrypt the samba secret attributes on disk. This is intended to
mitigate the inadvertent disclosure of the sam.ldb file, and to mitigate
memory read attacks.

Currently the key file is stored in the same directory as sam.ldb but
this could be changed at a later date to use an HSM or similar mechanism
to protect the key.

Data is encrypted with AES 128 GCM. The encryption uses gnutls where
available and if it supports AES 128 GCM AEAD modes, otherwise nettle is
used.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

librpc/idl/drsblobs.idl		diff \| blob \| history
source4/dsdb/samdb/ldb_modules/encrypted_secrets.c	[new file with mode: 0644]	blob
source4/dsdb/samdb/ldb_modules/tests/test_encrypted_secrets.c	[new file with mode: 0644]	blob
source4/dsdb/samdb/ldb_modules/wscript		diff \| blob \| history
source4/dsdb/samdb/ldb_modules/wscript_build		diff \| blob \| history
source4/dsdb/samdb/ldb_modules/wscript_build_server		diff \| blob \| history
source4/dsdb/samdb/samdb.h		diff \| blob \| history
source4/selftest/tests.py		diff \| blob \| history