Inside the Deep Security Manager.vmoptions file, there is a line that starts with:
Know what this line is used for and why the name and value are displayed in plain text.
- Is this line displayed in plain text working as intended for Deep Security Manager (DSM)?
Yes it is, by current design. The file is stored under the DSM folder.
- Why do we need the Local_Key_Secret in Deep Security Manager.vmoptions file?
The LOCAL_KEY_SECRET value is a salt (a unique piece of additional data provided to the key generation process) for the purpose of generating an actual master key (the installer encrypts the master key with this Local_Secret_Key). This is an extra layer of protection to help encrypt sensitive data stored in the database and configuration files. Access to the file is restricted to root only, and the main purpose of this design is to protect encrypted information inside the database or database backup in the event the database is accessed by an attacker. Without root access to the DSM server, the attacker cannot decrypt any sensitive information stored inside the database. The key that is generated from this string is used during the manager startup, so this line needs to be present on the server at all times.
Customers can also choose to protect sensitive data inside the database using AWS KMS. This is considered more secure but requires the use of AWS. There is no Local_Key_Secret when DSM is configured to use AWS KMS.
- When does Local_Key_Secret appear in the vmoptions file?
During DSM installation, this gets added into the VMOPTIONS file and remains there for normal function of the manager node.
If new manager nodes are deployed, this value has to be added manually into the VMOPTIONS file of the new manager node.
- Are there plans to store this information as a hashed value?
There are no plans to change this design as of now. If this line value in plain text is a concern, it is recommended to submit a support case to Trend Micro. More feedback that we receive from customers will allow us to prioritize this enhancement request in the future.
- When was this line first introduced in Deep Security?
Configuration of the master key was first introduced in Deep Security Manager 11.3.
- Are there documentation that provides more information related to Local_Key_Secret?
The DSM installation article talks more about configuring the Master Key as one the steps to complete the manager installation.