Security of Passwords and Secret Keys
By default, configuration files are automatically encrypted during component installation for additional system protection. Encryption of configuration critical files is performed using the AES-256 encryption key generated by the Data Protection API. The key is stored on the Axidian Privilege server and additionally encrypted by the Windows Data Protection API.
Component configuration files are encrypted:
- Core
- IdP
- Log Server
- ProxyApp
- RDP Proxy
- SSH Proxy
- PostgreSQL Proxy
- MSSQL Proxy
- Web Proxy
- Web Terminal
- Gateway Service
Windows Utility
Unencryption
Go to the ..PAM_3.3\axidian-pam-tools\configuration-protector\ folder, where the PAM distribution is located.
Run PowerShell as administrator.
Run one of the commands to perform unencryption.
Unencryption of all configuration files located in standard directories:
.\Pam.Tools.Configuration.Protector.exe unprotectinfoThe standard directory for configuration files is: C:\inetpub\wwwroot\<component_name>\appsettings.json.
Unencryption of configuration files of individual components:
.\Pam.Tools.Configuration.Protector.exe unprotect --component enter_component_nameExample:
.\Pam.Tools.Configuration.Protector.exe unprotect --component coreUnencryption of a configuration file located outside the standard directory:
.\Pam.Tools.Configuration.Protector.exe unprotect --component enter_component_name --file "file_path"Example:
.\Pam.Tools.Configuration.Protector.exe unprotect --component Core --file "C:\inetpub\wwwroot\core\appsettings.json"infoIt is possible to specify the path without quotes if the path does not contain spaces.
Encryption
Go to the ..PAM_3.3\axidian-pam-tools\configuration-protector\ folder, where the PAM distribution is located.
Run PowerShell as administrator.
Run one of the commands to perform encryption.
Encryption of all configuration files located in standard directories:
.\Pam.Tools.Configuration.Protector.exe protectinfoThe standard directory for configuration files is: C:\inetpub\wwwroot\<component_name>\appsettings.json.
Encryption of configuration files of individual components:
.\Pam.Tools.Configuration.Protector.exe protect --component enter_component_nameExample:
.\Pam.Tools.Configuration.Protector.exe protect --component coreEncryption of a configuration file located outside the standard directory:
.\Pam.Tools.Configuration.Protector.exe protect --component enter_component_name --file "file_path"Example:
.\Pam.Tools.Configuration.Protector.exe protect --component Core --file "C:\inetpub\wwwroot\core\appsettings.json"infoIt is possible to specify the path without quotes if the path does not contain spaces.
Linux Script
Unencryption
Go to the directory with the protector script:
cd /etc/axidian/axidian-privilege/toolsRun one of the commands to perform unencryption.
Unencryption of all configuration files located in standard directories:
bash protector.sh unprotectUnencryption of configuration files of individual components:
bash protector.sh unprotect –component enter_component_nameExample:
bash protector.sh unprotect –component core
Encryption
Go to the directory with the protector script:
cd /etc/axidian/axidian-privilege/toolsRun one of the commands to perform encryption.
Encryption of all configuration files located in standard directories:
bash protector.sh protectEncryption of configuration files of individual components:
bash protector.sh protect –component enter_component_nameExample:
bash protector.sh protect –component core
Encryption Mechanism Details
Encryption is performed using the AES-256 algorithm by a keyset which is generated using the Data Protection API. Keys are stored on the Axidian Privilege Server and encrypted using the Windows Data Protection API.
Location of keys:
- Windows Server — %ProgramData%\Axidian\Keys
- Linux OS — /etc/axidian/axidian-pam/keys
Directory usage rights are granted only to Axidian Privilege applications.