search

Yubico / yubikey-val

YubiKey OTP validation server in PHP
https://developers.yubico.com/yubikey-val
BSD 2-Clause "Simplified" License
130 stars 43 forks source link

Disk encryption required for Validation Server? #17

Open mig5 opened 10 years ago

mig5 commented 10 years ago

The end of the Validation Server documentation at https://github.com/Yubico/yubikey-val/wiki/Installation states:

"You now have a YK-VAL up and running. See https://github.com/Yubico/yubikey-ksm/wiki/ServerHardening on how to improve security of your system."

Yet the ServerHardening page is in the KSM wiki. Should there be a separate ServerHardening page in the Validation wiki, to avoid confusion?

The ServerHardening doc in the KSM wiki then states "The database contains sensitive information." - which database? I understand that the KSM database does, but are we to interpret this as meaning that the ykval database for the Validation server also contains sensitive information?

Therefore, does the validation server need to use encrypted volumes too? Or just KSM?

As you can see, the docs are a little vague in what is perhaps the most important area not to be :)

Thank you for any clarification and for open sourcing this software.

tgulacsi commented 10 years ago

I'm now converting the PHP source of ykval-verify.php to Go. As I see the most sensitive data (the AES key) is only stored in the KSM, so no, you don't need disk encryption for the validation server.

The API key is used only for checking the validation request's integrity, it is only a first line of protection.