On Tue, Mar 14, 2017 at 03:54:36PM -0700, Adam Lewenberg wrote: > If you use a master key and you back up all your files _except_ the master > key to some remote location, wouldn't that suffice to protect the database > in that remote location?
No. The problem is that the master key is not used to bind principal keys to principal records. This means that a backup operator could give you back a dump where a user's keys are pasted into the krbtgt principal(s), and if you load this dump that user will now be able to mint tickets for any service as any user. (You might notice this attack, but probably not in time to stop it.) Nico --
