-1

I have an application where, ideally, users will sign in using AD. I also need to store an encryption key for each user which should be encrypted before it's stored.

Is there any mechanism which AD, kerberos or any of the social SSOs provide which could give me a secret based on my authentication/authorization which I could use to encrypt a key?

Alternatively any API similar to DPAPI but which would work reliably across devices?

Finally, would it be considered bad practice to store an encryption key, unencrypted in AD? It looks to me like bitlocker is effectively doing this.

CamW
  • 3,223
  • 24
  • 34

3 Answers3

0

Best I can find so far is to use something like Hashicorp Vault which allows keys to be stored against AD users and encrypts based, ultimately, on a memory resident key.

CamW
  • 3,223
  • 24
  • 34
0

You are looking for Kerberos keytabs, aren't you?

Michael-O
  • 18,123
  • 6
  • 55
  • 121
  • I don't know, I'd have to look into those and whats possible, thanks for the suggestion – CamW Jan 31 '18 at 09:57
0

Hashicorp Vault supports multiple auth backends. LDAP is one of them. Also look at t-vault. It is built on top of Hashicorp Vault, it will give you a nice UI as well an higher of level of abstraction called safe. You can create safes for every user in AD. Grant access to safe for an user or to a ldap group.

You can look at a quick demo of t-vault here.

Varad
  • 21
  • 1