Physical Security for SSL Keys

A key component of security is to ensure the integrity of data at rest, or in this case, for stored SSL keys.

Locally Stored Keys

Private keys are never stored on an Avi Service Engine’s file system. They are pushed down to the SEs from the Avi Controller and kept in memory for establishing the SSL session with clients. Should an SE be compromised or rebooted, all configuration, including the private key and public certificate, are wiped. When the SE comes back online, a Controller may choose to repurpose the SE with a new (or the same) config. Or the Controller may simply delete the SE, depending on the circumstances.

The Controllers store the keys locally in a database in which sensitive information is encrypted. The keys will be encrypted during backups provided a passphrase is included during the backup process. To encrypt (all sensitive fields like passwords or private keys) before storing to the database, use the following:
Encryption Algorithm : AES_256_CBC
IV : 16 byte random data
Key: random 32 bytes
User passwords are hashed using PBKDF2 (Password-Based Key Derivation Function 2) algorithm with a SHA256 hash. All other passwords (for example cloud credentials) are also encrypted with using this method.

As the Controllers store the system configuration, including the private SSL keys, it is critical to ensure their proper security. Numerous options exist to lock down the access levels of administrators, ensure strong passwords, and limit administrative source IP address ranges.

For administrators having full access to the certificates and keys, an attempt to export a private key will be noted in the Operations > Events > Config Audit log. Using role-based access, export ability should be restricted to the fewest number of administrators possible.

SSL Export

Thales Luna (formerly SafeNet Luna) HSM & Externally Stored Keys

To guarantee a higher level of physical security, Avi Vantage supports the use of external hardware security modules and certificate stores. The original key is stored on the external system, with the public key available to Avi Vantage. Avi Vantage supports the following types of external key stores: