Let me thankyou for the informations! Really interesting to read about the security-aspects of CloudStack!
Am Mo., 1. März 2021 um 13:33 Uhr schrieb Andrija Panic < andrija.pa...@gmail.com>: > /etc/cloudstack/management/key (the file-based approach) contains a > "password" that is used to DECRYPT (every time mgmt server boots) the value > of the " db.cloud.encrypt.secret" from the db.properties file - and then > this decrypted value (kept in memory) is used to decrypt other various > values from the DB. > The one-time-ever-encryption of "db.cloud.encrypt.secret" raw value, > obviously, happens when you run the cloudstack-setup-databases > cloud:<cloud db password>@<cloud db host> -i <management server IP address> > -m <mgmt-key> -k <database-encryption-key> command (it's encrypted > using the value of the "key" file) > > I haven't played with a web-based solution, nor I have seen anyone using > this approach - either way, whoever logs into the mgmt server (e.g. an > intruder) will be reading the "key" (or web-based value) and then use it > further - so no need to complicate with web-based approach, I guess. > > An interesting thing to know - is how to decrypt one using the other > (useful during i.e. parallel upgrades etc): > > java -classpath /usr/share/cloudstack-common/lib/jasypt-1.9.3.jar > org.jasypt.intf.cli.JasyptPBEStringDecryptionCLI decrypt.sh > input=<db.cloud.encrypt.secret-value> > password=<management-key-value> verbose=true > > The same way you can use <db.cloud.encrypt.secret-value> to decrypt some > values from the DB (not that you will probably need it any time soon...) > > Best, > > > On Sun, 28 Feb 2021 at 02:36, Christopher Brown <vas...@gmx.de> wrote: > > > Hello everyone, > > > > I am currently making my first steps with cloudstack and therefore > stumble > > into some problems and understanding issues. > > My first topic is regarding the usage of the Management Server secret > key. > > > > As in the official installation guide, this key ist provided for en- and > > decryption of the databasekey. So this should take place everytime the > > server / the service is started. However i am facing some trouble in how > > the key is passed from the administrator to the system. > > > > One way of providing the key is via the parameter file and then with an > > file containg the password in plain text. > > Which can be dealt with. > > However the "web" option gives me some headache. When and how is the > > administrator going to give the password to system? > > I was looking through the guides and goodle, but sadly i didn't find an > > proper explanaition. > > Maybe someone can give me some glimpse or referral to additional sources? > > > > With kind regards, > > Christopher Brown > > > > > -- > > Andrija Panić >
