Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Understanding the use case for DLocal_Key_Secret in Deep Security Manager.vmoptions file

    • Updated:
    • 15 Apr 2021
    • Product/Version:
    • Deep Security 11.3
    • Deep Security 12.0
    • Deep Security 12.5
    • Deep Security 20.0
    • Platform:
Summary

Inside the Deep Security Manager.vmoptions file, there is a line that starts with:

-DLOCAL_KEY_SECRET

image.png

Know what this line is used for and why the name and value are displayed in plain text.

Details
Public
  • Is this line displayed in plain text working as intended for Deep Security Manager (DSM)?

    Yes it is, by current design. The file is stored under the DSM folder.

  • Why do we need the Local_Key_Secret in Deep Security Manager.vmoptions file?

    The LOCAL_KEY_SECRET value is a salt (a unique piece of additional data provided to the key generation process) for the purpose of generating an actual master key (the installer encrypts the master key with this Local_Secret_Key). This is an extra layer of protection to help encrypt sensitive data stored in the database and configuration files. Access to the file is restricted to root only, and the main purpose of this design is to protect encrypted information inside the database or database backup in the event the database is accessed by an attacker. Without root access to the DSM server, the attacker cannot decrypt any sensitive information stored inside the database. The key that is generated from this string is used during the manager startup, so this line needs to be present on the server at all times.

    Customers can also choose to protect sensitive data inside the database using AWS KMS. This is considered more secure but requires the use of AWS. There is no Local_Key_Secret when DSM is configured to use AWS KMS.

  • When does Local_Key_Secret appear in the vmoptions file?

    During DSM installation, this gets added into the VMOPTIONS file and remains there for normal function of the manager node.

    If new manager nodes are deployed, this value has to be added manually into the VMOPTIONS file of the new manager node.

  • Are there plans to store this information as a hashed value?

    There are no plans to change this design as of now. If this line value in plain text is a concern, it is recommended to submit a support case to Trend Micro. More feedback that we receive from customers will allow us to prioritize this enhancement request in the future.

  • When was this line first introduced in Deep Security?

    Configuration of the master key was first introduced in Deep Security Manager 11.3.

  • Are there documentation that provides more information related to Local_Key_Secret?

    The DSM installation article talks more about configuring the Master Key as one the steps to complete the manager installation.

Premium
Internal
Partner
Rating:
Category:
Configure
Solution Id:
000286255
Feedback
Did this article help you?

Thank you for your feedback!


*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.