This whole thread contains a lot of really good information. Is this all
documented in a good way (preferrably with examples) somewhere? If so,
pointer please. If not, can it please be?

# Lars-Johan Liman, M.Sc.               !  E-mail: li...@netnod.se
# Senior Systems Specialist             !  Tel: +46 8 - 562 860 12
# Netnod Internet Exchange, Stockholm   !  http://www.netnod.se/

> On 3/14/2017 3:57 PM, Nico Williams wrote:
>> On Tue, Mar 14, 2017 at 03:54:36PM -0700, Adam Lewenberg wrote:
>>> If you use a master key and you back up all your files _except_ the master
>>> key to some remote location, wouldn't that suffice to protect the database
>>> in that remote location?
>> No.  The problem is that the master key is not used to bind principal
>> keys to principal records.  This means that a backup operator could give
>> you back a dump where a user's keys are pasted into the krbtgt
>> principal(s), and if you load this dump that user will now be able to
>> mint tickets for any service as any user.  (You might notice this
>> attack, but probably not in time to stop it.)
>> Nico

> I see.

> If I trust the backup operator (e.g., it's me), then it still might be
> useful as at the very least it makes it harder for anyone who runs
> across the database file to guess the passwords. On the other hand,
> encrypting the entire file before backup, as you suggest, accomplishes
> this _and_ removes the concern of getting back a compromised database.

> Thanks for the enlightenment.

> Adam Lewenberg

Reply via email to