Log Encryption

This feature was added in version 6.1 of Iguana.

Introduction

Using encrypted logs greatly increases data security. Iguana Professional and Enterprise tiers use encrypted logs — encryption is mandatory and cannot be disabled.

Log encryption must be enabled each time the Iguana Server starts. This can be done by entering (or scripting) a password or by using the Auto-Unlock option.

How it Works [top]

Iguana generates a log encryption key that is used to encrypt the log files. This key is stored securely stored in an encryption locker file. By default the locker file is stored in the Iguana working directory, but this location can be changed. Each time the Iguana Server starts up the encryption locker file must be unlocked to allow Iguana to use the encryption key. The locker file can only be unlocked with a password chosen by the user.

Warning: It is critical not to forget the encryption locker password!

If the unlocker password is lost then you will not be able to open the unlocker file — which means you will lose access to all historical (encrypted) logs. There is no alternative method to recover the logs.

We recommend storing the password securely in atleast two places, for example: One encrypted copy on a different physical device from the Iguana Server, and a second hard copy in a safe.

These are the technical details:

  • The log encryption key is generated by Iguana:

    Iguana generates a 32 byte AES key value using PKCS5 and SHA-256

  • The generated key is used to encrypt the log files:

    Iguana uses the generated 32 byte AES key to encrypt the log files using AES-256 and CBC block cipher mode

  • The key is stored an encryption locker file:

    Iguana stores the key in a proprietary format encryption locker file, that uses a .locker extension

  • By default the locker file is stored in the Iguana working directory:

    By default Iguana stores the locker file in its working directory, but the location can be changed in the Log Encryption settings

  • To use the encryption key the locker file must first be unlocked with a password chosen by the user:

    Each time the Iguana Server starts the encryption locker file must be unlocked to allow Iguana to access the encryption key. The password is needed each time the Iguana Server is started to enable access to the encryption key. It is important that a strong password is used for security (to prevent hacking). Also this password must be stored securely as it is the only way to read the log files — if the password is lost the log files cannot be recovered by other means.

Locker Initialization [top]

The locker must be initialized (unlocked) using the Log Locker Password each time the Iguana Server is started — so Iguana can access the log encryption key. If the initialization process fails Iguana will not be able to encrypt or unencrypt the logs.

There are several ways to initialize the locker file:

  1. Enter the password manually using the Iguana GUI:

    Each time the Iguana Server is started you will need to enter the Log Locker Password. The Initialize Log Encryption Locker screen will open on startup so you can enter the password. You cannot leave this screen until the correct password has been entered.

  2. Use the Auto-Unlock feature to enter the password automatically:

    When the Auto-Unlock is enabled Iguana will automatically apply the user password on startup — so you don’t need to enter it manually or provide it in a script. This option can be enabled/disabled in the Log Encryption settings. Iguana encrypts and stores your password in a proprietary auto-unlocker file that uses a .autounlocker extension, and is located in the same directory your log encryption locker. Each time Iguana starts up it will extract and decrypt your password from the auto-unlocker file.

  3. Enter the password manually as a startup parameter in a command or terminal window:

    The third option it to supply the password as a command line argument to Iguana by using the log_encryption_password argument. This can be supplied if starting Iguana from the command line as —log_encryption_password “<your-password-goes-here>”.

  4. Supply the password in the Iguana Service configuration file:

    If Iguana is running as a service, then the log_encryption_password argument can also be used in the iguana_service.hdf file.

And this is how to use the various options:

  1. Enter the Log Locker Password manually on startup using the Iguana GUI:
    • First you will need to login to Iguana
    • The Initialize Log Encryption Locker screen will open
    • Enter the password and press the Unlock button:
  2. Enable the Auto-Unlock feature to enter the password automatically:
    • Open the Settings>Log Encryption
    • Click the Enable button:
    • Enter the Log Locker Password and click Enable:
  3. Enter the password manually as a startup parameter in a command or terminal window:
    • This shows the startup parameter and password using a Mac terminal window:
    • Using a Windows command window is very similar:
  4. Supply the password in the Iguana Service configuration file (iguana_service.hdf):
    • This shows the settings for a Windows Service:
    • You would need to modify line 7 instead when setting up a Mac/Linux daemon

Locker Security [top]

This section addresses security issues relating to the locker file, and explains how to optimize security. In particular we discuss the strengths and weaknesses of the various locker initialization methods.

In general we recommend using the Auto-Unlock option as it provides the best balance of security and convenience.

Password issues:

  • Always use a strong password:

    It is important that a strong password is used for security (to reduce the risk of hacking).

  • Store the password securely:

    The password must be stored securely as it is the only way to read the log files, and if it is lost the log files cannot be recovered by other means. You will need to have a system in place for storing the the password in a secure fashion.

These are the issues for the various initialization options:

  1. Enter the password manually using the Iguana GUI:

    Recommended. This is the most secure method when used correctly. Because the password is not stored on disk it minimizes the risk of hacking. Unfortunately this method has human weaknesses. There is a temptation to use a simple and memorable password that is less secure. If multiple people need to restart the Iguana Server then the password will need to be shared. If a strong password is used and shared then it becomes more likely that people will need to record it (on disk or paper etc) which is a definite security risk (how often have you seen a password on a sticky note attached to the monitor).

  2. Use the Auto-Unlock feature to enter the password automatically:

    Recommended. This method is the best compromise in most cases — particularly if there are multiple people who need to be able to restart the Iguana Server. The password is stored securely on disk in encrypted format (making it very difficult to hack). In theory a determined hacker could recover the password from the autounlocker file — but in practice this is highly unlikely. To mitigate this risk access to the unlocker file should be restricted to as few users as possible (preferably just the administrator). The main advantage is that the user is not required to memorize the password and is therefore not tempted to use a simple (easily hacked) password. The main weakness of this method is a human one, you are more likely to lose or forget the password as you are not using it regularly (not a problem if you have a system in place to store the password securely).

  3. Enter the password manually as a startup parameter in a command or terminal window:

    Not Recommended. This method has the same issues as the first method, plus the risk that the password is entered as plain text. When using the command line the password is visible as plain text in the command line window, and also visible in the command history. The risk for this method can be mitigated by ensuring that only administrators can login  to view the command line that is running Iguana. Also security can be further increased by restricting physical access to the hardware, and/or by disallowing remote access to the server. All of these mitigations are susceptible to human error — the first option is more secure and easier to implement.

  4. Supply the password in the service configuration file (iguana_service.hdf):

    Not usually Recommended. In most cases method two is preferred as it provides similar security and is easier to manage. This method is secure so long as you store the service configuration file (iguana_service.hdf) on an encrypted device — you should also restrict access to as few users as possible (preferably just the administrator). As with option two a determined hacker could recover the password from the iguana_service.hdf file — but in practice this is highly unlikely.

  5. Supply the password in a script file:

    Not usually Recommended. In most cases method two is preferred as it provides similar security and is easier to manage. This method is secure so long as you store the script file containing the password on an encrypted device — you should also restrict access to as few users as possible (preferably just the administrator). As with option two a determined hacker could recover the password from the script file — but in practice this is highly unlikely.
    Note: This is a special case of option three — where you create a script to automate the command line process.

Sharing a Locker File [top]

It is possible for a group of Iguana Servers to share the same log encryption key. This can be useful if you are managing multiple servers and want to keep the logs compatible (able to be viewed) across all servers in the group. This is achieved by copying the same encryption locker file to each Server in the group. Usually you would use the same encryption locker password for every copy of the locker file.

Note: If you change the encryption locker password for one copy of the the encryption locker file it does not affect other copies of the locker file.

Usually you will want to use the same encryption locker password for all copies of the locker file. This means you will need to change the password individually on each  server that is using a copy of the locker.

Alternatively you can use the same encryption locker password for different log encryption keys. This can simplify management when you don’t want to share logs. This is achieved by creating a new locker file for each server and entering the encryption locker password for each server.

Tip: If this seems complex just remember you are dealing with two passwords — or rather a password and an encryption key. And either one or both can be shared.

Note: The reason that multiple servers cannot use the same encryption locker file (instead of copies) is to prevent locking issues.

Install Procedure [top]

<decide on what channels I want on the current one = easy to reproduce> <because I will probably have to repeat process>

<follow google doc steps – test it as I go = need to make it REALLY clear>

Upgrade Procedure [top]

<use the same channels as install = consistent = less confusing>

 <Cannot encrypt existing logs – only new ones – THIS IS WHERE IT IS RELEVANT…>

<prepend the first 3 steps – then follow install above…>

<TIP we recommend install>

Migration Procedure [top]

<use the same channels as install/upgrade = consistent = less confusing>

<migrating to a new server>

<follow install>
<stop Iguana>
<copy over encrypted logs + locker file>
<start Iguana>

<Downgrade previous server – after a cool-down period???>

Downgrade Procedure [top]

<this one I need to figure out for myself>

<usually frequently part of MIGRATION = last step…>

<there are two reasons to downgrade>
<NOTE: migrate = backup + copy to new server>
<NOTE: decommission = export probably + backup>

<export all the logs??? – useful if decommissioning the server (not migrating)><see accessing logs in other applications>
<make a backup including the locker – so you can open logs later with a Pro/Ent license>
<change to a non Ent/Pro = BASE tier key – can I do this live in Iguana?><probably – need to test>

 

======================================================================

======================================================================

There are two options available to enable access for encrypted logs:

  1. Enter a user specified password each time the Iguana Server is started.
  2. Use the Auto-Unlock feature for greater convenience.

<gotchas to emphasize><cannot encrypt existing logs><cannot see encrypted logs after a downgrade><MAYBE JUST MENTION IN THEIR OWN SECTIONS OTHERWISE IT SOUNDS NEGATIVE TOWARDS THE PRODUCT>

IT IS STILL VERY IMPORTANT YOUR PASSWORD IS RECORDED IN A SAFE PLACE EVEN WITH THIS ENABLED. IF IT IS EVERY DISABLED/THE AUTO-UNLOCKER FILE IS DELETED YOU WILL NEED IT AGAIN TO ACCESS YOUR LOGS.

Leave A Comment?