Forum Discussion

NiHo_202842's avatar
NiHo_202842
Icon for Cirrostratus rankCirrostratus
Mar 01, 2016

Private key password location?

Hello,

 

I am currently looking at the option to store our private keys encrypted on the bigip. But for this to be beneficial of any kind, I would need to know how and where the bigip stores the passwords. Anyone any clue?

 

Regards

 

devops
LTM
security
TMSH
  • Hannes_Rapp_162's avatar
    Hannes_Rapp_162
    Mar 01, 2016

    It's stored in LTM config.

    Check the BigIP conf backup file 

    /config/bigip.conf
    . Search for the relevant private key or ssl profile object. The password/passphrase itself should be visible as MD5-salt hash.

    If you initially encrypted your private keys on BigIP appliance, it's recommended to eliminate bash history since the commands you executed (incl. the password itself) will be in plain-text. You can delete bash history by issuing command 

    rm ~/.bash_history
    .

  • Hannes_Rapp's avatar
    Hannes_Rapp
    Icon for Nimbostratus rankNimbostratus
    Mar 01, 2016

    It's stored in LTM config.

    Check the BigIP conf backup file 

    /config/bigip.conf
    . Search for the relevant private key or ssl profile object. The password/passphrase itself should be visible as MD5-salt hash.

    If you initially encrypted your private keys on BigIP appliance, it's recommended to eliminate bash history since the commands you executed (incl. the password itself) will be in plain-text. You can delete bash history by issuing command 

    rm ~/.bash_history
    .

    • NiHo_202842's avatar
      NiHo_202842
      Icon for Cirrostratus rankCirrostratus
      Mar 02, 2016
      Thank you for your answer @Hannes Rapp. Is the salt derived from the master key, generated on the device at boot?
    • Hannes_Rapp's avatar
      Hannes_Rapp
      Icon for Nimbostratus rankNimbostratus
      Mar 02, 2016
      I think it's a static hash and only generated once, just as you save the related config object. I could be wrong here, but my test hash stayed the same after reboot. This format does not seem to be vulnerable to public MD5 crackers as simple dictionary words like "hi" and "hello" returned no result.
  • Hannes_Rapp_162's avatar
    Hannes_Rapp_162
    Icon for Nacreous rankNacreous
    Mar 01, 2016

    It's stored in LTM config.

    Check the BigIP conf backup file 

    /config/bigip.conf
    . Search for the relevant private key or ssl profile object. The password/passphrase itself should be visible as MD5-salt hash.

    If you initially encrypted your private keys on BigIP appliance, it's recommended to eliminate bash history since the commands you executed (incl. the password itself) will be in plain-text. You can delete bash history by issuing command 

    rm ~/.bash_history
    .

    • NiHo_202842's avatar
      NiHo_202842
      Icon for Cirrostratus rankCirrostratus
      Mar 02, 2016
      Thank you for your answer @Hannes Rapp. Is the salt derived from the master key, generated on the device at boot?
    • Hannes_Rapp_162's avatar
      Hannes_Rapp_162
      Icon for Nacreous rankNacreous
      Mar 02, 2016
      I think it's a static hash and only generated once, just as you save the related config object. I could be wrong here, but my test hash stayed the same after reboot. This format does not seem to be vulnerable to public MD5 crackers as simple dictionary words like "hi" and "hello" returned no result.