2 Replies Latest reply on Jul 2, 2020 12:28 PM by Brian Leap

    Can ssh keys be encrypted at rest?

    Brian Leap
      Share This:

      We were asked by our security department if the ssh keys we use for MFT connection profiles can be encrypted at rest. Is it possible to do this and have Control-M Agent still be able to use the private key on a connection?  Wondered if anyone was doing this and used a third party encryption like (BitLocker, Winmagic, other) to encrypt Windows folders?

        • 1. Re: Can ssh keys be encrypted at rest?
          Bentze Perlmutter

          Hi Brian,

           

          As long as the application (MFT) doesn't need to actively decrypt/encrypt the private key as it reads it, so I don't see a problem with this.

          I.e. If the encryption/decryption was managed by the OS and applications don't need to take part so MFT would be fine.

          But if you need MFT to decrypt/encrypt the private key file as it was being read, I don't think that is possible with the current version. I'm not aware of a user-exit that can be enabled to have MFT perform any customized actions while it was reading the private key.

           

          BTW, the new Centralized Connection Profile(CCP) feature coming in v20, which supports MFT CPs, stores CPs in the EM and CTMS databases. It therefore may also include storing the private key in the database and then the need to encrypt the keys at rest on the file system goes away. Might be worth asking someone from BMC to confirm if storing the MFT Private SSH Keys in the EM/CTMS DBs will be part of CCP?

           

          Regards,

          Bentze

          1 of 1 people found this helpful
          • 2. Re: Can ssh keys be encrypted at rest?
            Brian Leap

            Thank you Bentze.  I'll check with BMC about how this is handled in V20....