On Tue, Mar 14, 2017 at 12:32:10PM -0700, Russ Allbery wrote: > "Henry B (Hank) Hotz, CISSP" <hbh...@oxy.edu> writes: > > Shut down all daemons on the master. > > > hprop --decrypt --stdout | hpropd --stdin > > > Restart all daemons. > > You probably also want to shut down incremental propagation while you do > this. I think this should force a full resync when the slaves reconnect, > but it would be a good idea to thoroughly test the replication behavior in > a test realm before doing this in a production realm. I forget how it > deals with a complete database reload; I think it's supposed to do > something sane, but that would be the component that I would worry about.
Good point, but actually restarting the daemons does not force a full resync. You have to remove the iprop log file (on the master and/or the slaves -- either works) to force a full resync. > Note that you will need to manually copy the new master key to the slaves > before they'll be able to replicate. Also don't forget to keep the old > master key around for the length of your backup retention so that you > don't invalidate your backups. If you're not storing the master key on a different disk anyways, and maybe even if you are, I would recommend just not encrypting the HDB at all. As with MIT, only the principals' keys are encrypted, which leaves you subject to cut-n-paste attacks by, e.g., your backups operator. You should separately encrypt the backups/dumps. Even if we could put the master key in a hardware token, that would not be sufficient to make the keys that much more secure. The only case that KDB/HDB encryption gets you more security is where it's easier to steal the disks than the whole system, and you either store the master key on a disk that's inside the system or you type it in when the daemons start. With modern kit that's just not the case, so you might as well not encrypt the KDB/HDB. (MIT doesn't give you the option; Heimdal does.) Nico --