Handling compromised encryption settings definitions
When an encryption settings definition is compromised, all data encrypted with that definition is vulnerable and you must stop using the definition immediately.
About this task
If an encryption settings definition is compromised, stop using that definition immediately. You must re-encrypt any data encrypted with the compromised definition using a new definition or purge that data from the server. To minimize the risk of data exposure, act quickly on all servers using this definition and act on one server at a time to avoid environment-wide downtime.
Before removing the compromised encryption settings definition, you should run the |
If you have a compromised encryption settings definition:
Steps
-
Create a new encryption settings definition and make it the preferred definition for new write operations.
-
Ensure that client traffic is routed away from the compromised server instance.
If the PingDirectory server is accessed through a PingDirectoryProxy server, then you can set the
health-check-state
configuration property for any LDAP external server definitions that reference that server tounavailable
. -
To ensure that external clients are not allowed to perform writes in the PingDirectory server, set the
writability-mode
global configuration property tointernal-only
. -
Look at the monitor entries with the
ds-replication-server-handler-monitor-entry
object class to ensure that the value of theupdate-sent
attribute is no longer increasing.This signals that all outstanding local changes are replicated to other servers.
-
Stop the PingDirectory server instance.
-
Delete the replication server database by removing all files in the
<server-root>/changeLogDb
directory.If all local changes have been replicated to other servers, this deletion does not result in any data loss in the replication environment.
-
Export the contents of all local DB and changelog backends to LDIF.
If you are using the AES256 scheme to store passwords in a reversibly encrypted form, and if any of those passwords are encrypted with the compromised encryption settings definition, you should use the
export-reversible-passwords
tool rather than theexport-ldif
tool to perform the LDIF export of the local DB backends. You can use theexport-reversible-passwords
tool to generate an LDIF file in which all reversibly encrypted passwords are exported in a decrypted form so that when they are re-imported, they are re-encrypted. -
Re-import the data from LDIF.
The data is now encrypted using the new preferred encryption settings definition.
-
Use the
encrypt-file --find-encrypted-files
command to find any files that are encrypted with the compromised definition, and useencrypt-file --re-encrypt
to re-encrypt them with the new definition. -
Export the compromised encryption settings definition from the encryption settings database.
As a precaution, this backs up the definition in case some remaining data was encrypted with that definition’s key.
-
To prevent the PingDirectory server from using the compromised definition, delete the definition from the encryption settings database.
-
Start the PingDirectory server instance.
-
Allow replication to update the server with any changes processed offline.
-
To re-allow externally-performed write operations, change the value of the global
writability-mode
configuration property toenable
. -
To allow client traffic to re-route to that server instance, reconfigure the environment.
For example, if you changed the value of the
health-check-state
property in step 2, change it back todynamically-determined
.