Forum Discussion

Nikolay_Matveev's avatar
Nikolay_Matveev
Icon for Nimbostratus rankNimbostratus
Apr 19, 2016

encryption with AES/CRYPTO - how to securely store the encryption key

Dear All,

 

I need to encrypt/decrypt some sensitive data which is permanently stored in a datagroup. Is there a way to store the encryption key so that it remained accessible from an iRule but at the same time was not present in the code? I anticipate that absolute security is problematic here (if such a thing exists at all :)) but what would be the most secure way of doing this on BigIP?

 

Ideal scenario would be to generate a key programmatically and store it somewhere on the BigIP file system (or separate admin partition) so that it was accessible to a specific iRule (ideally just one rule) but was not accessible from GUI/CLI. The iRule then could be signed with a certificate stored on HSM and any modifications to the iRule would be captured in the audit log, syslog and eventually SIEM which is ran by our SOC.

 

The key needs to be hidden if not from all user accounts but at least from all except one "break-glass" account whose use and credentials would be strictly controlled (administratively).

 

Or maybe I'm trying to invite a bicycle and it may be possible to easily use HSM to store symmetric keys?

 

Any thoughts would be very much appreciated!

 

2 Replies

  • Hello,

     

    You can use an ifile. It is stored on the filesystem (in clear) but not in the configuration file. You can use a script and the cron to generate your keys within ifiles.

     

    Or alternatively, you can set up a temporary key within a session table : https://devcentral.f5.com/wiki/irules.table.ashx

     

    The issue with table is that it doesn't persist accross reboot. You can create your keys using commands within irules. But I'm not sure that you have the right command available to generate a cryptographically secured key.

     

  • Hi Nikolay,

     

    did you find any proper solution for this issue ?