Some customers have asked about what they can do to encrypt the cache in adclient in their environment and, if they do it, what are some of the implications of doing so.
Enabling adclient cache encryption
To start with, in order to enable the adclient cache encryption, you'll have to edit the /etc/centrifydc/centrifydc.conf file and locate the following parameter:
and add in the encryption types you plan to use for your environment. If you enable this setting but don't add any encryption types to it, the parameter will default to arcfour-hmac-md5. In other words, it will read this line as:
If you prefer to use other encryption types in addition to arcfour-hmac-md5, like aes256-cts or aes128-cts, you'll want to ensure they are all specified in the parameter like this:
adclient.cache.encryption.type: arcfour-hmac-md5 aes256-cts aes128-cts
Notice they are separated by spaces and not commas or semi-colons.
If you don't want to use the arcfour-hmac-md5 encryption type, you'll definitely have to specify the type, or types, you want to use like this:
adclient.cache.encryption.type: aes256-cts aes128-cts
Centrify supports all 5 encryption types listed in adclient.krb5.tkt.encryption.types.
arcfour-hmac-md5, des-cbc-md5, des-cbc-crc, aes256-cts and aes128-cts
We also support aes256-cts-hmac-sha1-96 and, if you are using FIPS mode, this encryption is mantadory.
After making the change to this parameter, please be sure to save the file and restart the centrifydc service in order for the change to take effect.
Things to consider before making the change
Please be aware there are a couple of things to consider before encrypting the cache in adclient.
1) If the cache is encrypted, every operation retrieving objects from, or writing objects to, the cache has to be decrypted or encrypted, respectively. This makes the process slower and is more CPU intensive and, unfortunately, it doesn't really provide much more security. Password hashes stored in the cache are already encrypted. So credentials are already safe in the cache. The only vulnerability this protects against is retrieving user information from the cache but the adquery user command provides that information anyway.
2) The cache is encrypted with a one-time key that is stored in adclient memory. So if adclient crashes, the key is gone and the next time adclient starts, it has to completely rebuild the cache with a new key. This also means that every machine reboot or stopping and re-starting of adclient will completely rebuild the cache which can be time consuming, especially in a large environment.