Zentific: Secure Credential Store

Overview

To better safeguard your valuable resources, Zentific implements a credential store using industry-standard encryption mechanisms.  To do so, we utilize public key cryptography. This means that your data is protected by using a pair of keys for encryption: a public key, which encrypts data, and a corresponding private, or secret key for decryption. 

The Zentific architecture is highly modular, and this fact can be used to improve security posture. Our application server, zrpc, holds the public key in its possession, and the private key is stored alongside the Zentific scheduler, zensched. Because public and private keys can (and should) be separated, it is possible to better secure your data. Toward that end, we very strongly recommend running zrpc on a server distinct from that running zensched.  By utilizing this configuration, zrpc can be placed in a client- or customer-facing position that may by necessity be more exposed to threats on the network and elsewhere. At the same time, zensched can be placed on a server with greater access to your internal resources, without being directly exposed to outside threats.

When zrpc receives sensitive data, it immediately encrypts it, discards the unencrypted input, and saves the encrypted result.  This server is now incapable of retrieving the data in an unencrypted state, because it lacks access to the private key. If the database itself is stolen, data remains encrypted and unexposed. Only zensched, in its protected location, can decrypt the data for use.

-------------------------

Instructions:

# Install zrpc and zensched

# Make a private key
openssl genrsa  -out credstore-pkey.pem 1024

# Extract the public key from private key
openssl rsa -in credstore-pkey.pem -pubout > credstore-pubkey.pem

# On the system where both keys were created:
# 	-copy the private key to the server where zensched resides
#	-remove the private key
#	-move the public key to the server where zrpc resides
scp credstore-pkey.pem user@serverWithZensched:~
rm credstore-pkey.pem
scp credstore-pubkey.pem user@serverWithZrpc:~
rm credstore-pubkey.pem

# On the server where zensched resides:
#	-move the private key into its place
#	-set file ownership
#	-set restrictive file permissions
mv ~/credstore-pkey.pem /opt/zentific
chown zentific:zentific /opt/zentific/credstore-pkey.pem
chmod 600 /opt/zentific/credstore-pkey.pem

# On the server where zrpc resides:
#	-move the public key into its place
#	-set file ownership
#	-set restrictive file permissions
mv ~/credstore-pubkey.pem /opt/zentific
chown zentific:zentific /opt/zentific/credstore-pubkey.pem
chmod 600 /opt/zentific/credstore-pubkey.pem