Encrypt Server Passwords
-
I had a poke around on a fresh install of XO as I wondered how hypervisor passwords are being stored and can see they are just plaintext inside redis which isn't ideal.
Can see a thread about this already from a few years ago https://xcp-ng.org/forum/topic/2866/exported-xen-orchestra-config-contains-plaintext-host-passwords-is-this-intentional/5
Is there any plans to introduce some form of encryption for these. Even if its just a simple passphrase.
-
Hi,
As a reminder,
xo-server
needs to connect on start to all the pool masters. It's not a simple client to XAPI, it's a real server that needs to stay connected anytime to a XAPI (eg for backups), and even reconnect if connection is lost.How would you store something with an encrypted password when there's nobody to unlock it? Also how would you ask a user to type a password to check against an encrypted record, since there's no user 24/7 when
xo-server
starts or restarts or reconnect to a pool master?Sure, you can have and store a passphrase that will unlock the record, but the passphrase will be also stored directly in the DB, so I'm not sure it will make it more secure (instead of getting the password, you need the passphrase and the password, but since it's stored at the same place, what's the point?).
Finally, XO, via its default "implementation", XOA, is meant to be a protected appliance, with nothing else running in the OS, to reduce the attack surface. Don't get your XOA compromised is very important.
If you have a solution, I'm happy to know it
-
@olivierlambert Just having a bit of an investigate and not sure if this is actually possible or if it is but there is a requirement for a TPM 2.0.
Assuming you only support Linux and there is a modern systemd you can provide keys on process start https://systemd.io/CREDENTIALS/ the SetCredentialEncrypted option looks like what could be used.
Honestly never tested any of this and I'm running XO on xcp-ng 8.2 that doesn't support vTPM's yet.
-
So you can do
#Check you have a TPM 2.0 otherwise this isn't going to work
systemd-creds has-tpm2
#Create plaintext.txt that contains your strong password.
echo "i]BM|yWq=7+-Be}n{9k=%26$O95V7"E$$G,+n&:!" > plaintext.txt
#generate a credentials file that is encrypted will be called ciphertext.cred the name we are using will be XO-PassPhrase
systemd-creds --name=XO-PassPhrase encrypt plaintext.txt ciphertext.cred
#Add this to your service file in the [servce] section
LoadCredential=XO-PassPhrase:/path/where/you/stored/ciphertext.cred
#Start the service and the encrypted passphrase is stored in $CREDENTIALS_DIRECTORY/XO-PassPhrase you can unencrypt it in the process using
systemd-creds decrypt $CREDENTIALS_DIRECTORY/XO-PassPhrase
The downsides are this is complex to setup, Needs modern Linux so works con Centos 9 but not 8, if the process is running you can grab the passphrase as root running this. (I was using creds-test as a service name to test this)
systemd-creds decrypt /run/credentials/creds-test.service/XO-PassPhrase
-
This doesn't sound viable on a virtual appliance we distribute around the world without any control on the destination hardware nor even XCP-ng version.
Maybe when 8.3 will be out, after some years. But reducing the capacity (by a lot) to easily deploy an appliance is really not a great thing for us. Treat XOA as an appliance, it shouldn't be exposed outside and treated as any important appliance.