Lead Image © Marqs, photocase.com

Lead Image © Marqs, photocase.com

Password management with FreeIPA

Safely Stored

Article from ADMIN 37/2017
Passwords should be safe, but easy to remember – a contradiction that can be difficult to resolve. One remedy is a password manager that stores all passwords centrally. The open source tip this month shows a different approach: FreeIPA.

Passwords need to be long, contain as many characters as possible, and use special characters and numbers. If you do this, then your password is secure, but unfortunately very hard to remember. Consequently, there are a variety of tools that let you deposit hard-to-remember passwords in a type of safe. The safe in turn is protected by a master password, and the passwords it contains are only released if you enter the password correctly. However, the user is then usually given access to the complete inventory of the safe. In the open source world, the KeePass [1] tool is a well-known candidate for this job.

Key Recovery Agent

Key Recovery Agents (KRAs) offer a different type of password safe. They are often part of a larger identity management solution, offering both users and services different forms of password safes – known as password vaults [2]. These are then available not only locally on a client, but throughout the network. The idea is that lost private user keys can be restored, since a copy is deposited in the password safe.

Version 4.2 or newer of the FreeIPA Identity Management framework also features password vaults, where you can store all sorts of data safely. When the data are stored, they are encrypted with a session key. If necessary, this is encoded with another symmetric or asymmetric key. The result is a package consisting of the actual secret (the data) and the keys used. Both together are encrypted again with the public key of the KRA instance and sent to the FreeIPA system, where the whole package is unpacked with the KRA instance's private key. The KRA instance thus gains access to the keys and the actual secret. The secret is again encoded with a storage key, before it is finally deposited on the LDAP back end. An escrow officer can gain access to a safe so that decryption of the data is still possible even if the owner no longer knows the password for accessing the safe.


For this KRA function, FreeIPA uses a subsystem of the built-in Dogtag Certificate System. The system is known as the Data Recovery Manager (DRM) and can be installed in addition to the actual FreeIPA setup:

# dnf install ipa-kra-install

Three types of safes are available:

  • The Standard Vault only encrypts data with a random session key.
  • The Symmetric Vault encrypts the data once again with an arbitrary password; this is the default safe.
  • The Asymmetric Vault uses an additional public key, on top of the session key, to encrypt the data; the matching private key is required to decrypt.

These three safe types can be used in three different containers. In their user container, each user can create any number of safes to store data safely. Safes are visible only to that user. Administrators can create shared containers. Since services also work with private data, these are assigned their own service containers where they can store encrypted data. Access to the service containers is then possible after successful authentication of a service – for example using a Kerberos ticket.

Creating Safes

To use a safe, a user just has to authenticate once before creating a safe:

# kinit tscherf
Password for tscherf@EXAMPLE.COM:
# ipa vault-add company-cc --desc "My company's credit card data" --type symmetric

The first safe has now been created. To store data in it, you can pass in a file to the tool:

# ipa vault-archive company-cc --in ~/company-cc.txt

To retrieve the data, just reverse the process:

# ipa vault-retrieve company-cc --out ~/company-cc.txt

If necessary, several safes can be created in the same container, which users can then view using ipa vault-find.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Credential management with HashiCorp Vault
    Admin teams can use secret sharing to centrally manage shared access to user accounts and services. HashiCorp Vault is one of the few tools that has proven effective when it comes to implementing this solution. Here's how to use this open source tool and keep important credentials safe.
  • Secrets and certificate management
    Vault is a highly secure, trusted place to keep your secrets and certificates.
  • Integrating FreeIPA with Active Directory
    Many companies use Active Directory for centrally managing existing systems, but if you mix in Linux systems, you have to take care of a few things, such as different forms of integration. We show you how to connect the FreeIPA identity management framework as an interface to an Active Directory domain.
  • Centralized Password Management

    Time and again, situations arise in which admins need access to a system they do not otherwise manage. But, do you want to hand over responsibility for password management to a centralized software? What capabilities must that software have?

  • Requirements for centralized password management
    Time and again, situations arise in which admins need access to a system they do not otherwise manage. But, do you want to hand over responsibility for password management to a centralized software? What capabilities must that software have?
comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs

Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.

Learn More”>


		<div class=