Security of Passwords and Secret Keys
For additional system protection, it is recommended to encrypt the configuration files after final edits.
Axidian Privilege Components Protection
The distribution kit includes the Configuration protector utility that located in the ..PAM_2.10.0\axidian-pam-windows\MISC\ConfigurationProtector\ folder.
The utility can encrypt the configuration files of the Core, IdP, ProxyApp and Log Server components.
Run the following commands to encrypt the corresponding configuration files:
- Core component:
Pam.Tools.Configuration.Protector protect --component Core --file C:\inetpub\wwwroot\pam\core\appsettings.json - IDP component
Pam.Tools.Configuration.Protector protect --component Idp --file C:\inetpub\wwwroot\pam\idp\appsettings.json - Log Server component
Pam.Tools.Configuration.Protector protect --component LogServer --file C:\inetpub\wwwroot\ls\targetConfigs\PamTargetDb.config - ProxyApp component
Pam.Tools.Configuration.Protector protect --component ProxyApp --file "C:\Program Files\Axidian\Axidian Privilege\Gateway\ProxyApp\appsettings.json"
These commands are provided for execution when deploying components on Windows.
When deploying components on Linux, the configuration files are encrypted automatically when the deployment script is executed.
To decrypt the configuration, run the command:
Pam.Tools.Configuration.Protector unprotect --file "c:\path\to\configuration\file"
Encryption Mechanism Details
Encryption is performed using the AES-256 algorithm by a keyset which is generated using the Data Protection API. Keys are stored in %ProgramData%\Axidian\Axidian Privilege\Keys folder.
Keys are encrypted using the Windows Data Protection API with binding to a computer. So, any user within a computer can encrypt or decrypt keys. If the Data Protection API encryption keys are not synchronized between the load balancer instances, then the configuration must be re-encrypted, since the instances will have different keys.