mirror of
https://github.com/hashicorp/vault.git
synced 2026-04-24 23:57:41 -04:00
Sean Chittenden
commit
4e6d8b9e70
7 changed files with 50 additions and 42 deletions
|
|
@ -124,13 +124,13 @@ func (c *ServerCommand) Run(args []string) int {
|
|||
return 1
|
||||
}
|
||||
|
||||
// If mlock isn't supported, show a warning. We disable this in
|
||||
// dev because it is quite scary to see when first using Vault.
|
||||
// If mlockall(2) isn't supported, show a warning. We disable this
|
||||
// in dev because it is quite scary to see when first using Vault.
|
||||
if !dev && !mlock.Supported() {
|
||||
c.Ui.Output("==> WARNING: mlock not supported on this system!\n")
|
||||
c.Ui.Output(" The `mlock` syscall to prevent memory from being swapped to")
|
||||
c.Ui.Output(" disk is not supported on this system. Enabling mlock or")
|
||||
c.Ui.Output(" running Vault on a system with mlock is much more secure.\n")
|
||||
c.Ui.Output(" An `mlockall(2)`-like syscall to prevent memory from being")
|
||||
c.Ui.Output(" swapped to disk is not supported on this system. Running")
|
||||
c.Ui.Output(" Vault on an mlockall(2) enabled system is much more secure.\n")
|
||||
}
|
||||
|
||||
// Create a logger. We wrap it in a gated writer so that it doesn't
|
||||
|
|
|
|||
|
|
@ -1,14 +0,0 @@
|
|||
// +build linux
|
||||
|
||||
package mlock
|
||||
|
||||
import "syscall"
|
||||
|
||||
func init() {
|
||||
supported = true
|
||||
}
|
||||
|
||||
func lockMemory() error {
|
||||
// Mlockall prevents all current and future pages from being swapped out.
|
||||
return syscall.Mlockall(syscall.MCL_CURRENT | syscall.MCL_FUTURE)
|
||||
}
|
||||
|
|
@ -1,17 +0,0 @@
|
|||
// +build solaris
|
||||
|
||||
package mlock
|
||||
|
||||
import (
|
||||
"syscall"
|
||||
"golang.org/x/sys/unix"
|
||||
)
|
||||
|
||||
func init() {
|
||||
supported = true
|
||||
}
|
||||
|
||||
func lockMemory() error {
|
||||
// Mlockall prevents all current and future pages from being swapped out.
|
||||
return unix.Mlockall(syscall.MCL_CURRENT | syscall.MCL_FUTURE)
|
||||
}
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
// +build windows plan9 darwin freebsd openbsd netbsd
|
||||
// +build android nacl plan9 windows
|
||||
|
||||
package mlock
|
||||
|
||||
|
|
|
|||
18
helper/mlock/mlock_unix.go
Normal file
18
helper/mlock/mlock_unix.go
Normal file
|
|
@ -0,0 +1,18 @@
|
|||
// +build darwin dragonfly freebsd linux netbsd openbsd solaris
|
||||
|
||||
package mlock
|
||||
|
||||
import (
|
||||
"syscall"
|
||||
|
||||
"golang.org/x/sys/unix"
|
||||
)
|
||||
|
||||
func init() {
|
||||
supported = true
|
||||
}
|
||||
|
||||
func lockMemory() error {
|
||||
// Mlockall prevents all current and future pages from being swapped out.
|
||||
return unix.Mlockall(syscall.MCL_CURRENT | syscall.MCL_FUTURE)
|
||||
}
|
||||
|
|
@ -8,6 +8,21 @@ import (
|
|||
// memzero is used to zero out a byte buffer. This specific format is optimized
|
||||
// by the compiler to use memclr to improve performance. See this code review:
|
||||
// https://codereview.appspot.com/137880043
|
||||
//
|
||||
// Use of memzero is not a guarantee against memory analysis as described in
|
||||
// the Vault threat model:
|
||||
// https://www.vaultproject.io/docs/internals/security.html . Vault does not
|
||||
// provide guarantees against memory analysis or raw memory dumping by
|
||||
// operators, however it does minimize this exposure by zeroing out buffers
|
||||
// that contain secrets as soon as they are no longer used. Starting with Go
|
||||
// 1.5, the garbage collector was changed to become a "generational copying
|
||||
// garbage collector." This change to the garbage collector makes it
|
||||
// impossible for Vault to guarantee a buffer with a secret has not been
|
||||
// copied during a garbage collection. It is therefore possible that secrets
|
||||
// may be exist in memory that have not been wiped despite a pending memzero
|
||||
// call. Over time any copied data with a secret will be reused and the
|
||||
// memory overwritten thereby mitigating some of the risk from this threat
|
||||
// vector.
|
||||
func memzero(b []byte) {
|
||||
for i := range b {
|
||||
b[i] = 0
|
||||
|
|
|
|||
|
|
@ -69,11 +69,17 @@ sending a SIGHUP to the server process. These are denoted below.
|
|||
lease duration for tokens and secrets. This is a string value using a suffix,
|
||||
e.g. "720h". Default value is 30 days.
|
||||
|
||||
In production, you should only consider setting the `disable_mlock` option
|
||||
on Linux systems that only use encrypted swap or do not use swap at all.
|
||||
Vault does not currently support memory locking on Mac OS X and Windows
|
||||
and so the feature is automatically disabled on those platforms. To give
|
||||
the Vault executable access to the `mlock` syscall on Linux systems:
|
||||
In production it is a risk to run Vault on systems where `mlock` is
|
||||
unavailable or the setting has been disabled via the `disable_mlock`.
|
||||
Disabling `mlock` is not recommended unless the systems running Vault only
|
||||
use encrypted swap or do not use swap at all. Vault only supports memory
|
||||
locking on UNIX-like systems (Linux, FreeBSD, Darwin, etc). Non-UNIX like
|
||||
systems (e.g. Windows, NaCL, Android) lack the primitives to keep a process's
|
||||
entire memory address space from spilling disk and is therefore automatically
|
||||
disabled on unsupported platforms.
|
||||
|
||||
On Linux, to give the Vault executable the ability to use the `mlock` syscall
|
||||
without running the process as root, run:
|
||||
|
||||
```shell
|
||||
sudo setcap cap_ipc_lock=+ep $(readlink -f $(which vault))
|
||||
|
|
|
|||
Loading…
Reference in a new issue