On Mon, Aug 09, 2021 at 11:48:11AM +0100, lejeczek wrote:>Hi guys. > >On a remote & "shared" systems - are private secrets >completely 100% safe? Can root get to those? >(naturally excluding hacking of unknown bugs & exploits and >theories such as "no computer system is ultimately safe") >Well, the secret needs to be kept somewhere. The most secure you can get with secrets is the ephemeral ones, but those still need to be kept in memory. You could encrypt them, but then you would need to provide the decryption passphrase or key when you want to use them and that would be like providing the secret itself anyway. Even thought there are some limitations to unlimited memory access in Linux when someone has root access you have to assume they have access to what the system has access too. The best you can do to mitigate that is using something like Intel SGX, AMD SEV and such like. There is Launch Security [0] in libvirt, but I think it only supports SEV and something on s390. But I do not have any experience with those. [0] https://libvirt.org/formatdomain.html#id113>And if answer is yes then - do you have any best practices >for storing & managing of those secrets? > >many thanks, L. >-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: <http://listman.redhat.com/archives/libvirt-users/attachments/20210816/d80d17b1/attachment.sig>
On 16/08/2021 10:32, Martin Kletzander wrote:> On Mon, Aug 09, 2021 at 11:48:11AM +0100, lejeczek wrote: >> Hi guys. >> >> On a remote & "shared" systems - are private secrets >> completely 100% safe? Can root get to those? >> (naturally excluding hacking of unknown bugs & exploits and >> theories such as "no computer system is ultimately safe") >> > > Well, the secret needs to be kept somewhere.? The most > secure you can > get with secrets is the ephemeral ones, but those still > need to be kept > in memory.? You could encrypt them, but then you would > need to provide > the decryption passphrase or key when you want to use them > and that > would be like providing the secret itself anyway.? Even > thought there > are some limitations to unlimited memory access in Linux > when someone > has root access you have to assume they have access to > what the system > has access too. >yes, my bad I was not clear on that - yes private & ephemeral. Those 'secrets' virsh says cannot "get" back to me, even to me root, so that's good. So here, I wonder', if there is a technique which a malicious root could use to a secret.> The best you can do to mitigate that is using something > like Intel SGX, > AMD SEV and such like.? There is Launch Security [0] in > libvirt, but I > think it only supports SEV and something on s390.? But I > do not have any > experience with those. > > [0] https://libvirt.org/formatdomain.html#id113 >"Launch Security" - I was not even aware of. Busy with admin stuff and not checking changelogs, bad me again. Thanks for that.>> And if answer is yes then - do you have any best practices >> for storing & managing of those secrets? >> >> many thanks, L. >>
On 16/08/2021 10:32, Martin Kletzander wrote:> On Mon, Aug 09, 2021 at 11:48:11AM +0100, lejeczek wrote: >> Hi guys. >> >> On a remote & "shared" systems - are private secrets >> completely 100% safe? Can root get to those? >> (naturally excluding hacking of unknown bugs & exploits and >> theories such as "no computer system is ultimately safe") >> > > Well, the secret needs to be kept somewhere.? The most > secure you can > get with secrets is the ephemeral ones, but those still > need to be kept > in memory.? You could encrypt them, but then you would > need to provide > the decryption passphrase or key when you want to use them > and that > would be like providing the secret itself anyway.? Even > thought there > are some limitations to unlimited memory access in Linux > when someone > has root access you have to assume they have access to > what the system > has access too. > > The best you can do to mitigate that is using something > like Intel SGX, > AMD SEV and such like.? There is Launch Security [0] in > libvirt, but I > think it only supports SEV and something on s390.? But I > do not have any > experience with those. > > [0] https://libvirt.org/formatdomain.html#id113 >Last one - would by any chance you/Redhat have a schedule for Libvirt with SEV to go into RHELs/CentOS Stream? I know one can get that via/from oVirt repos, but that for me would not work. thanks, L.>> And if answer is yes then - do you have any best practices >> for storing & managing of those secrets? >> >> many thanks, L. >>