Network Traffic and File Encryption

Privilege Management for Unix and Linux can encrypt network traffic, event logs, I/O logs, policy files, and its own settings file. The following table lists the available encryption algorithms. If you are using SSL, then it supersedes the network traffic encryption algorithms after the start-up protocol is complete.

Settings String Block Size (bytes) Key Size (bytes) Comments
3des 8 24 Old style Triple DES. This algorithm is deprecated in favor of the new style Triple DES and will be removed in a future release.

aes-16-16

(or aes-128)

16 16 AES

aes-16-24

(or aes-192)

16 24 " "

aes-16-32

(or aes-256)

16 32

" "

aes-24-16 24 16 " "
aes-24-24 24 24

" "

aes-24-32 24 32 " "
aes-32-16 32 16 " "
aes-32-24 32 24 " "
aes-32-32 32 32

" "

blowfish 8 56 Blowfish
cast128 8 16 Cast-128
des 8 8 DES
gost 8 32 Gost
loki97 16 32 Loki97
none 0 0 No encryption.
old stream 1024

A proprietary algorithm, maintained for backward compatibility only.

This algorithm is deprecated and will be removed in a future release.

saferplus-16 16 16 SaferPlus
saferplus-24 16 24 " "
saferplus-32 16 32 " "
serpent-16 16 16 Serpent
serpent-24 16 24 " "
serpent-32 16 32 " "
threeway 12 12 Threeway
tiny 8 16 Tiny
tripledes 8 16 New style Triple DES
twofish-16 16 16 Twofish
twofish-24 16 24 " "
twofish-32 16 32 " "

Enhanced Encryption

To enable compliance with US government regulations, and specifically FIPS 140-2, encryption has been updated. Many of the older less secure encryption algorithms have been deprecated, and when high security is enforced, they are disabled completely.

When new clients are installed, enforcehighsecurity and ssl are both enabled in pb.settings. This switches Privilege Management for Unix and Linux into FIPS 140-2 mode. All encryption algorithms are FIPS 140-2 compliant, and it does not communicate, encrypt, or decrypt any data that isn't encrypted in AES-128, AES-192, AES-256 or TripleDes (3DES).

If a customer is installing version 9 of Privilege Management for Unix and Linux from scratch, high security mode is recommended.

For existing customers who are upgrading their enterprise to version 9, the upgrade script automatically adds the AES-256 encryption algorithm onto the I/O log and event log encryption configuration, leaving the existing encryption algorithms at the end of the configuration. This ensures that new I/O logs and event logs are encrypted using modern secure algorithms, but allows existing I/O logs and event logs that are encrypted in less secure algorithms to be decrypted and retrieved. Although existing network encryption can continue to use deprecated encryption algorithms, because the data is transient, more permanent data such as I/O logs and event logs can only be encrypted in FIPS 140-2 compatible algorithms.

Customers who have an existing infrastructure, and would like to be FIPS 140-2 compliant must upgrade all Privilege Management for Unix and Linux servers and clients to the latest version. If there are existing I/O logs and event logs that are encrypted using less secure algorithms, a specially configured host is required that is dedicated to reading these older logs.

To accomplish this task, you can use the new Client Registration feature to copy new pb.settings configuration, keys and certificates, or you can configure each installation by hand and copy the files manually.

Use Client Registration

  1. Follow the upgrade guide to update the primary policy server to the latest version.
  2. Create a new-style encryption key to be used across the enterprise:
    pbkey -F /etc/pbfips.key
  3. Create a suitable client pb.settings file, for example /etc/pb-client.settings, and configure the new encryption settings.
    enforcehighsecurity yes
    ssl yes
    ssloptions requiressl	sslfirst  sslverbose	
    sslservercertfile /etc/pbmasterhost.crt
    sslserverkeyfile /etc/pbmasterhost.pem
    networkencryption aes-256:keyfile=/etc/pbfips.key
    iologencryption aes-256:keyfile=/etc/pbfips.key
    eventlogencryption aes-256:keyfile=/etc/pbfips.key
    submitmasters pbmasterhost.org.com
    logservers pbloghost.org.com
  4. Follow the Client Registration guide to enable the service and configure an appropriate client profile.
    For example, on the primary policy server run:
    pbdbutil --reg -n
    pbdbutil --reg -u '{"name":"client-prof","data":
    [{"type":"settings","fname":"/etc/pb-client.settings"},
    {"type":"certificate","to":"/etc/${prefix}pbrest.pem${suffix}"},
    {"type":"save","sname":"networkencryption"},
    {"type":"save","sname":"iologencryption"},
    {"type":"save","sname":"eventlogencryption"},
    {"type":"save","sname":"restkeyencryption"},
    {"type":"save","sname":"sslservercertfile"},
    {"type":"save","sname":"sslserverkeyfile"}]}'
  5. Create similar profiles for your secondary policy servers, log servers, etc.
  6. Create a REST application ID and Key to authenticate your Client Registration requests.
    For example, on the primary policy server run:
    pbdbutil --rest -g clientreg
    {"appkey":"cbbc1aab-6f2b-40d0-b611-060bff0aaafa"}
  7. Now follow the upgrade guide to upgrade each client and server, using Client Registration when prompted. Run the normal pbinstall on the client and when asked whether to use Client Registration, answer yes, and provide responses to the Client Registration configuration questions.
    Do you wish to utilize Client Registration? [yes]?
    Enter the Application ID generated on the Primary License Server: clientreg
    Enter the Application Key generated on the Primary License Server: cbbc1aab-
    6f2b-40d0-b611-060bff0aaafa
    Enter the Primary License Server address/domain name for registering
    clients: pbmasterhost.org.com
    Enter the Primary License Server REST TCP/IP port [24351]: 24351
    Enter the Registration Client Profile name [default]: client-prof

    Using the profile appropriate to the installation type. All the necessary pb.settings, keys, and certificates are automatically copied to the upgrade installation, making upgrade simple.

    Alternatively, these Client Registrations options can be specified on the pbinstall command line for automation.

    pbinstall -A clientreg -K cbbc1aab-6f2b-40d0-b611-060bff0aaafa -D
    pbmasterhost.org.com -N client-prof

Without Using Client Registration

  1. Follow the upgrade guide to update the primary policy server to the latest version.
  2. Create a new-style encryption key to be used across the enterprise:
    pbkey -F /etc/pbfips.key
  3. For each upgrade you need to copy the new key, the primary policy manger certificate and the primary policy server key to each host.
  4. During upgrade you need to change settings to enable high security mode:
    Enforce High Security Encryption? yes Use SSL? yes
    SSL Configuration? requiressl	sslfirst  sslverbose
    SSLServer Certificate File? <path to Primary Policy Server certificate file>
    SSL Server Private Key File? <path to Primary Policy Server key file>
    PowerBroker network encryption options aes-256:keyfile=/etc/pbfips.key
    PowerBroker event log encryption options aes-256:keyfile=/etc/pbfips.key
    PowerBroker I/O log encryption options aes-256:keyfile=/etc/pbfips.key

To configure a dedicated host to read older I/O logs and event logs encrypted with deprecated encryption algorithms, the following configuration is required to ensure that it can communicate with the new FIPS 140-2 compliant installations, but allowing it to read the older logs. Follow the above installation procedures, but change the pb.setting configuration:

enforcehighsecurity no
ssl yes
ssloptions requiressl sslfirst sslverbose
sslservercertfile /etc/pbmasterhost.crt
sslserverkeyfile /etc/pbmasterhost.pem
networkencryption aes-256:keyfile=/etc/pbfips.key
iologencryption aes-256:keyfile=/etc/pbfips.key des:keyfile=/etc/oldpb.key
eventlogencryption aes-256:keyfile=/etc/pbfips.key
des:keyfile=/etc/oldpb.key

High security mode is not enabled, allowing the installation to read deprecated logs. SSL is enabled, with the correct configuration to allow the installation to communicate with the policy servers. The iolog and event log encryption must have FIPS 140-2 compatible algorithm specified if new logs are to written. However this can be left out if the sole purpose of the installation is to read older logs. Appended to the end of the iolog and event log encryption configuration are the details of the customers' existing encryption used when the logs were encrypted. Privilege Management for Unix and Linux selects the relevant algorithm when the logs are replayed.