[ZBXNEXT-1660] Wallet for application credentials Created: 2013 Mar 11 Updated: 2024 Apr 10 Resolved: 2020 Oct 09 |
|
Status: | Closed |
Project: | ZABBIX FEATURE REQUESTS |
Component/s: | Java gateway (J), Proxy (P), Server (S) |
Affects Version/s: | 2.0.5 |
Fix Version/s: | 5.2.0beta1, 5.2 (plan) |
Type: | New Feature Request | Priority: | Major |
Reporter: | Marc | Assignee: | Vladislavs Sokurenko |
Resolution: | Fixed | Votes: | 66 |
Labels: | credentials, encryption, macros, security, wallet | ||
Σ Remaining Estimate: | Not Specified | Remaining Estimate: | Not Specified |
Σ Time Spent: | Not Specified | Time Spent: | Not Specified |
Σ Original Estimate: | Not Specified | Original Estimate: | Not Specified |
Attachments: | Selection_199.png Selection_200.png ZbxNext1660.png image-2020-09-11-13-39-45-786.png image-2020-09-11-13-40-09-476.png | ||||||||||||||||||||||||||||||||
Issue Links: |
|
||||||||||||||||||||||||||||||||
Sub-Tasks: |
|
||||||||||||||||||||||||||||||||
Team: | Team A | ||||||||||||||||||||||||||||||||
Sprint: | Sprint 66 (Jul 2020), Sprint 67 (Aug 2020), Sprint 68 (Sep 2020), Sprint 69 (Oct 2020) | ||||||||||||||||||||||||||||||||
Story Points: | 7 |
Description |
Would be/become mission-critical for companies dealing with sensitive data to have no passwords stored in clear-text. Neither in database nor on file system. This could be an encrypted database which stores all credentials and their usage used by or for Zabbix securely on file system. A standard what requires such kind of security is PCI DSS (See: https://www.pcisecuritystandards.org/security_standards/documents.php ) |
Comments |
Comment by richlv [ 2013 Mar 11 ] |
also, when dealing with proxies, such data would be passed to proxies, stored in ram, but never written to the proxy db |
Comment by Oleksii Zagorskyi [ 2013 Mar 12 ] |
It's very serious request about macros substitution limitation. At the moment we have several places where we can try to resolve for example a global usermacro even when I have just user-level account in zabbix frontend. Just to keep things linked - macros supporting accumulated in |
Comment by Marc [ 2013 Mar 12 ] |
There may be now way to gain access to passwords. Neither by using macros (if macros would be used for this issue) in different context (e.g. email body), nor by items or hosts what are not intended to be used by them. If macros would be the way for referencing, then it might be useful to add an additional dedicated macro class. @richlv For example: However, the only way that was tolerated is to implement some kind of encoding with the token for decoding be available somewhere hard to find. I think for Zabbix it's sufficient having an Admin to logon to the Zabbix-Server and passing the wallet passphrase or key. |
Comment by Marc [ 2013 Aug 24 ] |
This is a nice post which describes the mentioned dilemma. |
Comment by Oleksii Zagorskyi [ 2016 Nov 04 ] |
Cross references of related things: |
Comment by Marc [ 2016 Dec 21 ] |
I could also think of an implementation without a "wallet". As usual, it's not well thought out and might not consider important aspects. So, any comments are welcome Example scenario
Key management
Optionally
Open questions
|
Comment by Duncan Mountford [ 2017 Nov 06 ] |
I would love to see this in a future release. We have many situations where storing passwords in Zabbix would be a great help, however due to security constraints we simply cannot store them in a database as plain text. This certainly gets my vote! |
Comment by Jonathan Boucher [ 2017 Nov 17 ] |
I would also love to see this in a future release. Zabbix could fit all our needs but, our company policies don't allow us to store password in plain text. This feature is for me a high priority. |
Comment by Gatis Rumbens [ 2018 Oct 11 ] |
btw simple solution for DB...if we just talk about sensitive data in DB/tables is implemented in MySQL 5.7 and 8.0 . RDBMS supports table space encryption as out-of-the box. Just enable keyring plugin and alter table
ALTER TABLE t1 ENCRYPTION='Y';
|
Comment by Marc [ 2018 Oct 15 ] |
radix, thanks for sharing this. That's an interesting option, although I have my doubts that good encryption can just be a matter of switching it on - without further proper processes However, While encryption on lower levels like database or file system promises some increased security, it still remains transparent to people/systems having access to the data interfaces (e.g. database instance or file system access). My intention behind this feature request is not only ensuring data gets not stored in plain text on persistent storage but also limiting the risk of revealing sensitive data to database or even Zabbix admins - without having access to the cryptograms and knowing the encrpytion key. The principle idea behind is that only the Zabbix processs may decrypt sensitive data and that the information required for decryption is not found at the same place, resp. it is stored in different locations (DEK in database and KEK on Zabbix server (or elsewhere). |
Comment by Francine SAUVAGE [ 2019 Sep 25 ] |
Hello, Finally, Is there a way to encrypt password (in a MACRO {$PASSWORD} in my use case) ? Regards, Francine |
Comment by Raymond Kuiper [ 2019 Sep 25 ] |
Not currently, no. Please vote on the issue to let Zabbix devteam know that you would like this issue deveolped and possibly send [email protected] a request for a (co-)sponsorship qoute if you are willing to contribute to have the feature developed.
|
Comment by Francine SAUVAGE [ 2019 Sep 25 ] |
I have already voted. It is critical !! |
Comment by Alexei Vladishev [ 2020 Feb 12 ] |
Zabbix 5.0 is coming with support of masking for user macros, see |
Comment by Francine SAUVAGE [ 2020 Jul 31 ] |
Security by obstruction is one of the worst way (not) to do. |
Comment by Rostislav Palivoda [ 2020 Aug 11 ] |
Acceptance criteria v1.1
|
Comment by Vladislavs Sokurenko [ 2020 Aug 25 ] |
Implemented in development branch feature/ZBXNEXT-1660-5.1 |
Comment by Miks Kronkalns [ 2020 Sep 25 ] |
Implemented in:
|
Comment by Miks Kronkalns [ 2020 Oct 02 ] |
Updated Zabbix manual:
Updated Zabbix API documentation: |
Comment by Alexander Romanov [ 2020 Oct 10 ] |
w00t! |
Comment by Yurii Polenok [ 2021 Feb 12 ] |
Is it possible to add support for KV Secrets Engine - Version 1? |