Question about offline key management about encrypted-dns-server HOT 7 CLOSED

Thanks @jedisct1, fixed the issue with file permission and nobody user privilege, now it is working fine :)

from encrypted-dns-server.

Hi!

Indeed, key generation is directly handled by the server. The intent was to make it as simple as possible to use, as certificate management can be quite complicated to properly set up.

Adding an option to avoid keys from being generated/rotated would be trivial.

But what mechanism are you thinking of in order to import keys?

State files are not machine-specific. A machine can run the server without accepting any connections, just to update the state file. For such a use case, an option to simply update that file and immediately quit can also be added, so you can run that as a cron job.

Then, the state file can be periodically copied to the actual resolver. Right now, the proxy needs to be restarted to read the new file, but that can be avoided, either by sending a signal or by watching the file for changes (if writes are guaranteed to always be atomic).

Another way can be to leverage the fact that we already have a minimal built-in HTTP server, currently used for the Prometheus metrics API. And add an API to store a new key, only accessible from a predefined IP address.

What do you think? Any other idea?

from encrypted-dns-server.

Key management is indeed a bit tricky! I believe much of my code is from your old Docker bash script to do key rotation with dnscrypt-wrapper but I can't find the initial reference anymore (so if it was, thank you again!).

My main concern and desire for having this is because I keep wanting to spin up VPS to run this for the community, but I don't trust that anything (especially the server keys) are safe on a VPS. I wouldn't really call it a secure or trusted server if at any time, the VPS provider could snapshot the system and extract keys from disk or memory.

I hadn't thought too much about different ways to update the server with the keys but wasn't expecting anything too "fancy".

A first pass might simply be getting the server to reload certs through a signal, which may mean updating the state file externally, and then supplying it to the server.

Question: I tried to read the code a bit to understand but couldn't quite get it, are there still short term keys in use that are generated from long term keys? Generating the state file offline and transferring to the server is fine, but it defeats the purpose if the state file also has long term signing keys that we don't want to transfer to the server.

To better understand, does encrypted-dns-server still rotate keys periodically (if so how often)? Also, does it ever keep more than one cert in memory to allow for rotation issues and clients to switch to new keys?

My current setup generates a key every 12 hours, that's good for 24 hours and keeps at least 2 of those key/certs active in the dnsdist server at any given time. I'm not sure that encrypted-dns-server works the old way anymore, esp since this does more than just DNSCrypt.

from encrypted-dns-server.

To better understand, does encrypted-dns-server still rotate keys periodically (if so how often)? Also, does it ever keep more than one cert in memory to allow for rotation issues and clients to switch to new keys?

@jedisct1
thats a good question, so does encrypted-dns generate 2 keys (example 24h, 1 week)? how can we configure it in the .toml file?

greets

from encrypted-dns-server.

@ibksturm A new key is generated every 8 hour, and is valid for 24 hours.

After a new key has been generated, the previous ones are not served any more, but queries using them are still accepted until they expire.

The TTL and rotation times are hardcoded here.

from encrypted-dns-server.

Hi @jedisct1,

First of all, thank you for your time and effort on this wonderful software.

Would like to understand if there is anyway I could check the keys are rotated. Reason being I am not sure if I have configured the file permission correctly for the .state file and if the keys are indeed rotated.

from encrypted-dns-server.

Hi @NeutralGround

The easiest way would be to look at the timestamp of the .state file. If should change every 8 hour.

from encrypted-dns-server.