All keys are encrypted at rest using NIST recommended strong encryption methods, and using standard Microsoft cryptographic APIs with settings recommended by API documentation.
Encrypted Values Used by Panel Tools
In some cases it is necessary to provide credentials for a connection provider. This is needed if you are not authenticating to the source or target systems using the Panel Service's service account implicitly. Explicit credentials are stored in the Identity Panel web application after being encrypted with AES256 by Identity Panel.
The AES key in turn is stored in the tenant database (which only has a single tenant for on-premises installations), and is encrypted with the .NET Core Data Protection API, using the DPAPI-NG protection provider. This restricts access to the application pool service account. For SaaS hosted deployments, the Tenant Key is protected with Azure KeyVault premium (with HSM).
When Panel Tools requires the credentials, it makes a decipher request to the web API, and the password is returned over the HTTPS connection. Access to the decipher API is restricted to the built-in Writer role. All other roles, including the Admin role are explicitly excluded from accessing the decipher endpoint, and for requests to the settings endpoint made by users not in the Writer role, even the encrypted values are redacted from settings.
Sensitive config.json Values
When you use PanelTool to connect to your SaaS instance for the first time, Panel Tool prompts you to configure credentials for SCRAM-SHA512 authentication.
The SCRAM authentication password is a 128 bit value generated by a CPRNG. The username is specific to both the user account and server used to access Panel Service. The username and password are written out to Panel Service's config.json, and the password is protected with DPAPI using the CurrentUser mode.
A separate login credential is created for each service account and each server, and will be accessible only by the logged in account, regardless of the Auth:ProtectMode setting. This implies that any account used to run Panel Service or Panel Check must have a user profile to enable it for DPAPI, and you must run PanelTool as that service account before Panel Service will start (or alternatively specify the credential in the Service Setup process.
When non-repudiation is enabled it uses the windows certificate store and security model to protect access to the certificate used to sign database records.
Each database record has serialization logic to generate a byte array, and this array is then hashed and signed using EC-DSA256 which is considered equivalent to or better than RSA2048.
Please sign in to leave a comment.