Search the VMware Knowledge Base (KB)
View by Article ID

Securing Credentials in vMA 4.1 (1017669)

  • 0 Ratings

Details

The credentials in vMA are encrypted using standard encryption algorithms. However, a user who obtains the VMDK files of a vMA appliance might be able to reverse-engineer the encryption algorithm and decrypt the passwords. To make the credentials more secure, you can encrypt the filesystem on which the credentials and vMA database files are stored.

Solution

Encrypt the Filesystem

To secure credentials in vMA, you can encrypt the filesystem and then restore it. Perform the following steps before you add any target to encrypt the filesystem:
  1. Log in to vMA.
     
  2. Change the mode to super-user mode:
    sudo -s
     
  3. Create an empty file by running the following command:
    dd of=/path/to/vi-adminsecretfs bs=1M count=0 seek=8

    In the above example, you are creating a sparse file of 8MB, where blocks are not written to the file.
    Note: Do not force allocation of data blocks for this file.

  4. Lock the access to the file by running the following commands:
    chmod 600 /path/to/vi-adminsecretfs
    chown vi-admin /path/to/vi-adminsecretfs
     
  5. Associate a loopback device with the file by running the following command:
    losetup /dev/loop0 /path/to/vi-adminsecretfs

  6. Encrypt the storage in the device by running the following command:
    cryptsetup -y create vi-adminsecretfs /dev/loop0
     

    The cryptsetup command uses the Linux device mapper to create, in this case, /dev/mapper/vi-adminsecretfs. The -y option specifies that users will be prompted to enter the passphrase twice (once for verification).

  7. (Optional) Check the status of the file:
    cryptsetup status vi-adminsecretfs

     
  8. Write zeros to the new encrypted device to force the allocation of data blocks.
    dd if=/dev/zero of=/dev/mapper/vi-adminsecretfs
    The zeros are encrypted and they look like random data to the external world, thus making it nearly impossible to track down the encrypted data blocks.
     
  9. Create a filesystem and verify its status by running the following commands:
    mke2fs -j -O dir_index /dev/mapper/vi-adminsecretfs
    tune2fs -l /dev/mapper/vi-adminsecretfs

  10. Mount the new filesystem to a convenient location:
    mkdir /home/vi-admin/.vmware
    mount /dev/mapper/vi-adminsecretfs /home/vi-admin/.vmware
     
  11. Repeat Steps 1 to 10 for vi-user. You should replace vi-adminsecretfs with vi-usersecretfs and mount the created file system at /home/vi-user/.vmware.

Restore the Filesystem

Restore the encrypted filesystem after reboot, by running the following commands:
  1. Associate a loopback device with the file by running the following command:
    losetup /dev/loop0 /path/to/vi-adminsecretfs
  2. Encrypt the mapped device by running the following command:
    cryptsetup create vi-adminsecretfs /dev/loop0
  3. When prompted, enter the password.
  4. Mount the filesystem by running the following command:
    mount /dev/mapper/vi-adminsecretfs /mnt/cryptofs/vi-adminsecretfs

Alternatively, you can restore the filesystem by configuring an init.d script. Note that the script prompts you for a password while booting. Perform the following steps to create the script:
 
  1. Create a file called encryptfs under the directory /etc/init.d with the following contents:

    #!/bin/sh

    # chkconfig: 345 1 99

    # description: Enable the encrypted filesystems

    # Associate a loopback device with the file losetup /dev/loop0 /path/to/vi-adminsecretfs

    # Encrypt mapped device; you'll be prompted for the password cryptsetup create vi-adminsecretfs /dev/loop0

    # Mount the filesystem
    mount /dev/mapper/vi-adminsecretfs /mnt/cryptofs/vi-adminsecretfs

  2. Provide execute permissions to the file by running the following command:

    chmod a+x /etc/init.d/encryptfs

  3. Run the script by using the following command:

    chkconfig --add encryptfs

      When rebooted, vMA prompts you for the password that will be used to mount the encrypted filesystem.

      You can also protect the vMA database by moving the /var/opt/vmware/vMA/vMA.db file to a temporary location and then creating a vmadbsecretfs using the steps above. Mount the new filesystem at /var/opt/vmware/vMA and move the vMA.db file back to /var/opt/vmware/vMA.

      Request a Product Feature

      To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

      Feedback

      • 0 Ratings

      Did this article help you?
      This article resolved my issue.
      This article did not resolve my issue.
      This article helped but additional information was required to resolve my issue.

      What can we do to improve this information? (4000 or fewer characters)




      Please enter the Captcha code before clicking Submit.
      • 0 Ratings
      Actions
      KB: