Unsolved
This post is more than 5 years old
3 Posts
0
2744
July 9th, 2007 09:00
AES Encryption is Not Secure
To anyone out there using AES encryption, here is some information you may or may not know:
When NetWorker backs up the Bootstrap, it does not encrypt it even if you have turned on AES encryption for the NetWorker server. This in itself isn't too bad except that the boostrap includes the AES Encryption Key!!! (from the Datazone Phass Phrase parameter).
So you can recover the bootstrap without knowing your encryption key which will in effect allow you to read any encrypted data as recovery of the bootstrap recovers the encryption key.
I discovered this issue (which I believe is a major security breach) when I was testing our disaster recovery procedures. It's hard for me to believe, given the almost daily reports of lost tapes and data privacy breaches, that Legato would either a) not encrypt the bootstrap, or b) not include the Datazone Pass Phrase in the bootstrap backups. Either one would effectively close this loophole.
I am making this post in the hopes that other NetWorker users who are using AES encryption have this knowledge that their data may not be as secure as they think. I also hope that more people will raise this issue with Legato to get them to change how NetWorker performs it's bootstrap backup.
When NetWorker backs up the Bootstrap, it does not encrypt it even if you have turned on AES encryption for the NetWorker server. This in itself isn't too bad except that the boostrap includes the AES Encryption Key!!! (from the Datazone Phass Phrase parameter).
So you can recover the bootstrap without knowing your encryption key which will in effect allow you to read any encrypted data as recovery of the bootstrap recovers the encryption key.
I discovered this issue (which I believe is a major security breach) when I was testing our disaster recovery procedures. It's hard for me to believe, given the almost daily reports of lost tapes and data privacy breaches, that Legato would either a) not encrypt the bootstrap, or b) not include the Datazone Pass Phrase in the bootstrap backups. Either one would effectively close this loophole.
I am making this post in the hopes that other NetWorker users who are using AES encryption have this knowledge that their data may not be as secure as they think. I also hope that more people will raise this issue with Legato to get them to change how NetWorker performs it's bootstrap backup.
0 events found
No Events found!
ble1
6 Operator
•
14.4K Posts
•
56.2K Points
0
September 25th, 2008 13:00
If your server is not in active group then bootstrap gets saved with run of each group you have.
mpunzo
1 Message
0
November 2nd, 2009 17:00
ble1
6 Operator
•
14.4K Posts
•
56.2K Points
0
November 3rd, 2009 12:00
shali021
6 Posts
0
April 29th, 2010 12:00
Yes, I think so, but I have not tested yet.
Last week I got the confirmation from EMC Technical Consultant, that Bootstrap issue (Passphrase in clear text and not encrypted) is solved in NetWorker v7.6
Below are the comments from him -
The lockbox is a technology provided by the EMC/RSA Common Security Toolkit that provides a means of strongly securing sensitive information. It was introduced into NetWorker 7.6 and is now used to securely store sensitive information that previously resided in the RAP database. This includes passwords (NetWorker and modules) and most specifically the datazone passphrases for AES asm and similar encryption needs. While this information was previously encrypted in RAP the new lockbox technology provides a much stronger encryption capability.
As of the NetWorker 7.6 the datazone passphrase is no longer placed in the bootstrap on a tape. The lockbox is part of the bootstrap but the recovery of the bootstrap is now governed by a different disaster recovery process. This maintains complete security of the bootstrap and prevents recovery of any data that is encrypted via AESASM. Therefore, a tape encrypted by AESASM cannot be recovered without the underlying lockbox.
Hope this helps ... Please let me know, if anyone tested this.