Protection of CLDB and DARE Master Keys
This section describes how the CLDB key and DARE master keys are encrypted and stored during normal operations.
In release 6.2, if used
without HSM integration, the CLDB key is encrypted using a weak hard-coded
key and stored in Base-64 format in ${MAPR_HOME}/conf/cldb.key
. The DARE
master key is stored in clear text in hexadecimal format in
${MAPR_HOME}/conf/dare.master.key
. Both files are protected only by file
permissions. The files need to be encrypted and protected using FIPS-approved algorithms.
Release 7.0.0 and later encrypt and store these keys
using the PKCS#11
interface and the mrhsm
tool. Using
configure.sh
with the -genkey
option automatically
generates the
keys inside the
HSM.
In this case, the
HSM could be the HSM that was introduced in release 6.2.0 or
the HSM
inside the newly introduced file store,
which is
${MAPR_HOME}/conf/tokens
. Upgrades also automatically
upgrade mrhsm
configurations to support the file store and store existing
keys
inside
the PKCS #11 file store if the legacy cldb.key
or
dare.master.key
are found.
- Instead of backing up the
cldb.key
anddare.master.key
as recommended in previous versions, users are encouraged to back up the${MAPR_HOME}/conf/tokens
directory as well as the${MAPR_HOME}/conf/maprhsm.conf
file. These are both essential to retrieve the keys. - During configuration, instead of copying key files, users must copy the
${MAPR_HOME}/conf/tokens
directory as well as the${MAPR_HOME}/conf/maprhsm.conf
file to other CLDB nodes in the cluster. - MFS-only nodes still need an empty
${MAPR_HOME}/conf/dare.master.key
file to detect that DARE is enabled. This file does NOT need to contain the actual key. - During an upgrade, the
cldb.key
anddare.master.key
are left intact and untouched even though we expect to have them stored in the PKCS#11 file store. It is a best practice to remove them from the node and store them in a safe location in case they are needed again.