Secure variables protected by Linux kernel
Is there a possibility to place variables under the custody of the Linux kernel?
E.g. counters that may only be incremented, variables that can be written to but only read after authentication.
Ideally with persistency after reboot and unalterable between boots.
I could think of a kernel module that allows access to the variables via /proc filesystem and storing the values in the kernel keyring.
However I could not find a solution for this.
Usecase would be e.g. software eFuses https://en.wikipedia.org/wiki/EFUSE and the ability to securely store variables from user space.
linux security linux-kernel
edited Feb 12 '18 at 10:50
Rui F Ribeiro
40.6k1479137
asked Jul 24 '17 at 15:16
Reiner RottmannReiner Rottmann
1363
migrated from serverfault.com Jul 24 '17 at 15:38
This question came from our site for system and network administrators.
add a comment |
Is there a possibility to place variables under the custody of the Linux kernel?
E.g. counters that may only be incremented, variables that can be written to but only read after authentication.
Ideally with persistency after reboot and unalterable between boots.
I could think of a kernel module that allows access to the variables via /proc filesystem and storing the values in the kernel keyring.
However I could not find a solution for this.
Usecase would be e.g. software eFuses https://en.wikipedia.org/wiki/EFUSE and the ability to securely store variables from user space.
linux security linux-kernel
edited Feb 12 '18 at 10:50
Rui F Ribeiro
40.6k1479137
asked Jul 24 '17 at 15:16
Reiner RottmannReiner Rottmann
1363
migrated from serverfault.com Jul 24 '17 at 15:38
This question came from our site for system and network administrators.
1
See ifman keyrings(and SEE ALSOs) can answer some of your needs.
– Stéphane Chazelas
Jul 24 '17 at 16:07
Can you give a sample use case?
– sdkks
Jul 25 '17 at 1:25
A sample usecase would be an invalid password retry counter or a write only variable e.g. enter a password that can be used by an application but cannot be read back by a regular user or only after authentication.
– Reiner Rottmann
Jul 25 '17 at 16:22
I found keyrings with the keyctl utility to be a very good solution. Thanks for pointing that out! @StéphaneChazelas
– Reiner Rottmann
Aug 20 '17 at 11:18
add a comment |
Is there a possibility to place variables under the custody of the Linux kernel?
E.g. counters that may only be incremented, variables that can be written to but only read after authentication.
Ideally with persistency after reboot and unalterable between boots.
I could think of a kernel module that allows access to the variables via /proc filesystem and storing the values in the kernel keyring.
However I could not find a solution for this.
Usecase would be e.g. software eFuses https://en.wikipedia.org/wiki/EFUSE and the ability to securely store variables from user space.
linux security linux-kernel
edited Feb 12 '18 at 10:50
Rui F Ribeiro
40.6k1479137
asked Jul 24 '17 at 15:16
Reiner RottmannReiner Rottmann
1363
Is there a possibility to place variables under the custody of the Linux kernel?
E.g. counters that may only be incremented, variables that can be written to but only read after authentication.
Ideally with persistency after reboot and unalterable between boots.
I could think of a kernel module that allows access to the variables via /proc filesystem and storing the values in the kernel keyring.
However I could not find a solution for this.
Usecase would be e.g. software eFuses https://en.wikipedia.org/wiki/EFUSE and the ability to securely store variables from user space.
linux security linux-kernel
linux security linux-kernel
edited Feb 12 '18 at 10:50
Rui F Ribeiro
40.6k1479137
asked Jul 24 '17 at 15:16
Reiner RottmannReiner Rottmann
1363
edited Feb 12 '18 at 10:50
Rui F Ribeiro
40.6k1479137
asked Jul 24 '17 at 15:16
Reiner RottmannReiner Rottmann
1363
edited Feb 12 '18 at 10:50
Rui F Ribeiro
40.6k1479137
edited Feb 12 '18 at 10:50
Rui F Ribeiro
40.6k1479137
edited Feb 12 '18 at 10:50
Rui F Ribeiro
40.6k1479137
40.6k1479137
asked Jul 24 '17 at 15:16
Reiner RottmannReiner Rottmann
1363
asked Jul 24 '17 at 15:16
Reiner RottmannReiner Rottmann
1363
asked Jul 24 '17 at 15:16
Reiner RottmannReiner Rottmann
1363
1363
migrated from serverfault.com Jul 24 '17 at 15:38
This question came from our site for system and network administrators.
migrated from serverfault.com Jul 24 '17 at 15:38
This question came from our site for system and network administrators.
1
See ifman keyrings(and SEE ALSOs) can answer some of your needs.
– Stéphane Chazelas
Jul 24 '17 at 16:07
Can you give a sample use case?
– sdkks
Jul 25 '17 at 1:25
A sample usecase would be an invalid password retry counter or a write only variable e.g. enter a password that can be used by an application but cannot be read back by a regular user or only after authentication.
– Reiner Rottmann
Jul 25 '17 at 16:22
I found keyrings with the keyctl utility to be a very good solution. Thanks for pointing that out! @StéphaneChazelas
– Reiner Rottmann
Aug 20 '17 at 11:18
add a comment |
1
See ifman keyrings(and SEE ALSOs) can answer some of your needs.
– Stéphane Chazelas
Jul 24 '17 at 16:07
Can you give a sample use case?
– sdkks
Jul 25 '17 at 1:25
A sample usecase would be an invalid password retry counter or a write only variable e.g. enter a password that can be used by an application but cannot be read back by a regular user or only after authentication.
– Reiner Rottmann
Jul 25 '17 at 16:22
I found keyrings with the keyctl utility to be a very good solution. Thanks for pointing that out! @StéphaneChazelas
– Reiner Rottmann
Aug 20 '17 at 11:18
1
1
See if
man keyrings (and SEE ALSOs) can answer some of your needs.– Stéphane Chazelas
Jul 24 '17 at 16:07
See if
man keyrings (and SEE ALSOs) can answer some of your needs.– Stéphane Chazelas
Jul 24 '17 at 16:07
Can you give a sample use case?
– sdkks
Jul 25 '17 at 1:25
Can you give a sample use case?
– sdkks
Jul 25 '17 at 1:25
A sample usecase would be an invalid password retry counter or a write only variable e.g. enter a password that can be used by an application but cannot be read back by a regular user or only after authentication.
– Reiner Rottmann
Jul 25 '17 at 16:22
A sample usecase would be an invalid password retry counter or a write only variable e.g. enter a password that can be used by an application but cannot be read back by a regular user or only after authentication.
– Reiner Rottmann
Jul 25 '17 at 16:22
I found keyrings with the keyctl utility to be a very good solution. Thanks for pointing that out! @StéphaneChazelas
– Reiner Rottmann
Aug 20 '17 at 11:18
I found keyrings with the keyctl utility to be a very good solution. Thanks for pointing that out! @StéphaneChazelas
– Reiner Rottmann
Aug 20 '17 at 11:18
add a comment |
3 Answers
3
active
oldest
votes
You have got Redis for storing data structures and getting them after reboot, as the service saves the cache when going down.
https://redis.io
Redis does not use proc, runs at user land level, and you talk with it by default at 6379/TCP.
There are also APIs/extensions for a few languages, including python and PHP.
You can do also some diagnostics, and send some commands by telneting to it/wget/curl.
It can be password protected.
to install it on Debian
sudo apt-get install redis-server
.
Redis is an open source (BSD licensed), in-memory data structure
store, used as a database, cache and message broker. It supports data
structures such as strings, hashes, lists, sets, sorted sets with
range queries, bitmaps, hyperloglogs and geospatial indexes with
radius queries. Redis has built-in replication, Lua scripting, LRU
eviction, transactions and different levels of on-disk persistence...
From this Redis Quick Guide
Redis is an open source, advanced key-value store and an apt solution
for building highperformance, scalable web applications.
Redis has three main peculiarities that sets it apart.
Redis holds its database entirely in the memory, using the disk only
for persistence.
Redis has a relatively rich set of data types when compared to many
key-value data stores.
Redis can replicate data to any number of slaves.
answered Jul 24 '17 at 15:42
Rui F RibeiroRui F Ribeiro
40.6k1479137
Whilst redis can indeed be used as a type database, there is not much to it that lends itself to a secure solution as per the OP's requirements...
– Pedro
Mar 1 '18 at 8:23
@Pedro It is indeed a type database ; however it is not clear wether the requirements of the OP are realistic, and thus the answer as it is as redis being a suggestion for a persistent DB from a application usage point of view.Lastly, a couple of points. The infra-structure is just a secure as you design it, the fs, connecting between the frontend and backend can be encrypted either with IPsec or a SSL proxy, and you are not even obliged to place things in clear text in the redis database. big organisations are using redis. At the end of the day it also depends on how big is the data, et al.
– Rui F Ribeiro
Mar 1 '18 at 9:26
understood. my reading of the question suggested a security focused solution, hence my attempt to respond. also the implicit direction of 'held by the kernel, therefore secure' is a misconception that I wanted to clear. no intention to step on your toes, just thought I could contribute further. however, and for the sake of openness, I originally voted down your answer since your suggestion of using redis would be as good as sqlite or text files. I did not see how it fit the security aspect of the question.
– Pedro
Mar 1 '18 at 21:11
add a comment |
Attending to your original question and subsequent comments, the answer is no.
Is there a possibility to place variables under the custody of the Linux kernel?
Ideally with persistency after reboot and unalterable between boots.
I could think of a kernel module that allows access to the variables via /proc filesystem and storing the values in the kernel keyring.
If you are looking for a way to store data securely, then you need a database of some kind and the means to ensure integrity of the data stored - which usually involves cryptography. This in itself creates several problems that need to be addressed carefully, such as key management, storage encryption, etc.
The kernel offers very few options for persistent data storage. There's keyring as mentioned which might help, but its purpose is slightly different. I have never studied the security of this kind of subsystem, so I would not be able to comment about its strength for your use case.
answered Mar 1 '18 at 8:21
PedroPedro
64939
IMO the problem is actually not having persistency.
– Rui F Ribeiro
Mar 1 '18 at 9:27
add a comment |
You have Redis for putting away information structures and getting them after reboot, as the administration spares the store while going down. Just go to the below link is helpful for you.
https://hackr.io/tutorials/learn-redis
answered 7 mins ago
Ankit DixitAnkit Dixit
1
New contributor
Ankit Dixit is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f381462%2fsecure-variables-protected-by-linux-kernel%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
You have got Redis for storing data structures and getting them after reboot, as the service saves the cache when going down.
https://redis.io
Redis does not use proc, runs at user land level, and you talk with it by default at 6379/TCP.
There are also APIs/extensions for a few languages, including python and PHP.
You can do also some diagnostics, and send some commands by telneting to it/wget/curl.
It can be password protected.
to install it on Debian
sudo apt-get install redis-server
.
Redis is an open source (BSD licensed), in-memory data structure
store, used as a database, cache and message broker. It supports data
structures such as strings, hashes, lists, sets, sorted sets with
range queries, bitmaps, hyperloglogs and geospatial indexes with
radius queries. Redis has built-in replication, Lua scripting, LRU
eviction, transactions and different levels of on-disk persistence...
From this Redis Quick Guide
Redis is an open source, advanced key-value store and an apt solution
for building highperformance, scalable web applications.
Redis has three main peculiarities that sets it apart.
Redis holds its database entirely in the memory, using the disk only
for persistence.
Redis has a relatively rich set of data types when compared to many
key-value data stores.
Redis can replicate data to any number of slaves.
answered Jul 24 '17 at 15:42
Rui F RibeiroRui F Ribeiro
40.6k1479137
Whilst redis can indeed be used as a type database, there is not much to it that lends itself to a secure solution as per the OP's requirements...
– Pedro
Mar 1 '18 at 8:23
@Pedro It is indeed a type database ; however it is not clear wether the requirements of the OP are realistic, and thus the answer as it is as redis being a suggestion for a persistent DB from a application usage point of view.Lastly, a couple of points. The infra-structure is just a secure as you design it, the fs, connecting between the frontend and backend can be encrypted either with IPsec or a SSL proxy, and you are not even obliged to place things in clear text in the redis database. big organisations are using redis. At the end of the day it also depends on how big is the data, et al.
– Rui F Ribeiro
Mar 1 '18 at 9:26
understood. my reading of the question suggested a security focused solution, hence my attempt to respond. also the implicit direction of 'held by the kernel, therefore secure' is a misconception that I wanted to clear. no intention to step on your toes, just thought I could contribute further. however, and for the sake of openness, I originally voted down your answer since your suggestion of using redis would be as good as sqlite or text files. I did not see how it fit the security aspect of the question.
– Pedro
Mar 1 '18 at 21:11
add a comment |
You have got Redis for storing data structures and getting them after reboot, as the service saves the cache when going down.
https://redis.io
Redis does not use proc, runs at user land level, and you talk with it by default at 6379/TCP.
There are also APIs/extensions for a few languages, including python and PHP.
You can do also some diagnostics, and send some commands by telneting to it/wget/curl.
It can be password protected.
to install it on Debian
sudo apt-get install redis-server
.
Redis is an open source (BSD licensed), in-memory data structure
store, used as a database, cache and message broker. It supports data
structures such as strings, hashes, lists, sets, sorted sets with
range queries, bitmaps, hyperloglogs and geospatial indexes with
radius queries. Redis has built-in replication, Lua scripting, LRU
eviction, transactions and different levels of on-disk persistence...
From this Redis Quick Guide
Redis is an open source, advanced key-value store and an apt solution
for building highperformance, scalable web applications.
Redis has three main peculiarities that sets it apart.
Redis holds its database entirely in the memory, using the disk only
for persistence.
Redis has a relatively rich set of data types when compared to many
key-value data stores.
Redis can replicate data to any number of slaves.
answered Jul 24 '17 at 15:42
Rui F RibeiroRui F Ribeiro
40.6k1479137
Whilst redis can indeed be used as a type database, there is not much to it that lends itself to a secure solution as per the OP's requirements...
– Pedro
Mar 1 '18 at 8:23
@Pedro It is indeed a type database ; however it is not clear wether the requirements of the OP are realistic, and thus the answer as it is as redis being a suggestion for a persistent DB from a application usage point of view.Lastly, a couple of points. The infra-structure is just a secure as you design it, the fs, connecting between the frontend and backend can be encrypted either with IPsec or a SSL proxy, and you are not even obliged to place things in clear text in the redis database. big organisations are using redis. At the end of the day it also depends on how big is the data, et al.
– Rui F Ribeiro
Mar 1 '18 at 9:26
understood. my reading of the question suggested a security focused solution, hence my attempt to respond. also the implicit direction of 'held by the kernel, therefore secure' is a misconception that I wanted to clear. no intention to step on your toes, just thought I could contribute further. however, and for the sake of openness, I originally voted down your answer since your suggestion of using redis would be as good as sqlite or text files. I did not see how it fit the security aspect of the question.
– Pedro
Mar 1 '18 at 21:11
add a comment |
You have got Redis for storing data structures and getting them after reboot, as the service saves the cache when going down.
https://redis.io
Redis does not use proc, runs at user land level, and you talk with it by default at 6379/TCP.
There are also APIs/extensions for a few languages, including python and PHP.
You can do also some diagnostics, and send some commands by telneting to it/wget/curl.
It can be password protected.
to install it on Debian
sudo apt-get install redis-server
.
Redis is an open source (BSD licensed), in-memory data structure
store, used as a database, cache and message broker. It supports data
structures such as strings, hashes, lists, sets, sorted sets with
range queries, bitmaps, hyperloglogs and geospatial indexes with
radius queries. Redis has built-in replication, Lua scripting, LRU
eviction, transactions and different levels of on-disk persistence...
From this Redis Quick Guide
Redis is an open source, advanced key-value store and an apt solution
for building highperformance, scalable web applications.
Redis has three main peculiarities that sets it apart.
Redis holds its database entirely in the memory, using the disk only
for persistence.
Redis has a relatively rich set of data types when compared to many
key-value data stores.
Redis can replicate data to any number of slaves.
answered Jul 24 '17 at 15:42
Rui F RibeiroRui F Ribeiro
40.6k1479137
You have got Redis for storing data structures and getting them after reboot, as the service saves the cache when going down.
https://redis.io
Redis does not use proc, runs at user land level, and you talk with it by default at 6379/TCP.
There are also APIs/extensions for a few languages, including python and PHP.
You can do also some diagnostics, and send some commands by telneting to it/wget/curl.
It can be password protected.
to install it on Debian
sudo apt-get install redis-server
.
Redis is an open source (BSD licensed), in-memory data structure
store, used as a database, cache and message broker. It supports data
structures such as strings, hashes, lists, sets, sorted sets with
range queries, bitmaps, hyperloglogs and geospatial indexes with
radius queries. Redis has built-in replication, Lua scripting, LRU
eviction, transactions and different levels of on-disk persistence...
From this Redis Quick Guide
Redis is an open source, advanced key-value store and an apt solution
for building highperformance, scalable web applications.
Redis has three main peculiarities that sets it apart.
Redis holds its database entirely in the memory, using the disk only
for persistence.
Redis has a relatively rich set of data types when compared to many
key-value data stores.
Redis can replicate data to any number of slaves.
answered Jul 24 '17 at 15:42
Rui F RibeiroRui F Ribeiro
40.6k1479137
edited Mar 1 '18 at 21:39
answered Jul 24 '17 at 15:42
Rui F RibeiroRui F Ribeiro
40.6k1479137
answered Jul 24 '17 at 15:42
Rui F RibeiroRui F Ribeiro
40.6k1479137
answered Jul 24 '17 at 15:42
Rui F RibeiroRui F Ribeiro
40.6k1479137
40.6k1479137
Whilst redis can indeed be used as a type database, there is not much to it that lends itself to a secure solution as per the OP's requirements...
– Pedro
Mar 1 '18 at 8:23
@Pedro It is indeed a type database ; however it is not clear wether the requirements of the OP are realistic, and thus the answer as it is as redis being a suggestion for a persistent DB from a application usage point of view.Lastly, a couple of points. The infra-structure is just a secure as you design it, the fs, connecting between the frontend and backend can be encrypted either with IPsec or a SSL proxy, and you are not even obliged to place things in clear text in the redis database. big organisations are using redis. At the end of the day it also depends on how big is the data, et al.
– Rui F Ribeiro
Mar 1 '18 at 9:26
understood. my reading of the question suggested a security focused solution, hence my attempt to respond. also the implicit direction of 'held by the kernel, therefore secure' is a misconception that I wanted to clear. no intention to step on your toes, just thought I could contribute further. however, and for the sake of openness, I originally voted down your answer since your suggestion of using redis would be as good as sqlite or text files. I did not see how it fit the security aspect of the question.
– Pedro
Mar 1 '18 at 21:11
add a comment |
Whilst redis can indeed be used as a type database, there is not much to it that lends itself to a secure solution as per the OP's requirements...
– Pedro
Mar 1 '18 at 8:23
@Pedro It is indeed a type database ; however it is not clear wether the requirements of the OP are realistic, and thus the answer as it is as redis being a suggestion for a persistent DB from a application usage point of view.Lastly, a couple of points. The infra-structure is just a secure as you design it, the fs, connecting between the frontend and backend can be encrypted either with IPsec or a SSL proxy, and you are not even obliged to place things in clear text in the redis database. big organisations are using redis. At the end of the day it also depends on how big is the data, et al.
– Rui F Ribeiro
Mar 1 '18 at 9:26
understood. my reading of the question suggested a security focused solution, hence my attempt to respond. also the implicit direction of 'held by the kernel, therefore secure' is a misconception that I wanted to clear. no intention to step on your toes, just thought I could contribute further. however, and for the sake of openness, I originally voted down your answer since your suggestion of using redis would be as good as sqlite or text files. I did not see how it fit the security aspect of the question.
– Pedro
Mar 1 '18 at 21:11
Whilst redis can indeed be used as a type database, there is not much to it that lends itself to a secure solution as per the OP's requirements...
– Pedro
Mar 1 '18 at 8:23
Whilst redis can indeed be used as a type database, there is not much to it that lends itself to a secure solution as per the OP's requirements...
– Pedro
Mar 1 '18 at 8:23
@Pedro It is indeed a type database ; however it is not clear wether the requirements of the OP are realistic, and thus the answer as it is as redis being a suggestion for a persistent DB from a application usage point of view.Lastly, a couple of points. The infra-structure is just a secure as you design it, the fs, connecting between the frontend and backend can be encrypted either with IPsec or a SSL proxy, and you are not even obliged to place things in clear text in the redis database. big organisations are using redis. At the end of the day it also depends on how big is the data, et al.
– Rui F Ribeiro
Mar 1 '18 at 9:26
@Pedro It is indeed a type database ; however it is not clear wether the requirements of the OP are realistic, and thus the answer as it is as redis being a suggestion for a persistent DB from a application usage point of view.Lastly, a couple of points. The infra-structure is just a secure as you design it, the fs, connecting between the frontend and backend can be encrypted either with IPsec or a SSL proxy, and you are not even obliged to place things in clear text in the redis database. big organisations are using redis. At the end of the day it also depends on how big is the data, et al.
– Rui F Ribeiro
Mar 1 '18 at 9:26
understood. my reading of the question suggested a security focused solution, hence my attempt to respond. also the implicit direction of 'held by the kernel, therefore secure' is a misconception that I wanted to clear. no intention to step on your toes, just thought I could contribute further. however, and for the sake of openness, I originally voted down your answer since your suggestion of using redis would be as good as sqlite or text files. I did not see how it fit the security aspect of the question.
– Pedro
Mar 1 '18 at 21:11
understood. my reading of the question suggested a security focused solution, hence my attempt to respond. also the implicit direction of 'held by the kernel, therefore secure' is a misconception that I wanted to clear. no intention to step on your toes, just thought I could contribute further. however, and for the sake of openness, I originally voted down your answer since your suggestion of using redis would be as good as sqlite or text files. I did not see how it fit the security aspect of the question.
– Pedro
Mar 1 '18 at 21:11
add a comment |
Attending to your original question and subsequent comments, the answer is no.
Is there a possibility to place variables under the custody of the Linux kernel?
Ideally with persistency after reboot and unalterable between boots.
I could think of a kernel module that allows access to the variables via /proc filesystem and storing the values in the kernel keyring.
If you are looking for a way to store data securely, then you need a database of some kind and the means to ensure integrity of the data stored - which usually involves cryptography. This in itself creates several problems that need to be addressed carefully, such as key management, storage encryption, etc.
The kernel offers very few options for persistent data storage. There's keyring as mentioned which might help, but its purpose is slightly different. I have never studied the security of this kind of subsystem, so I would not be able to comment about its strength for your use case.
answered Mar 1 '18 at 8:21
PedroPedro
64939
IMO the problem is actually not having persistency.
– Rui F Ribeiro
Mar 1 '18 at 9:27
add a comment |
Attending to your original question and subsequent comments, the answer is no.
Is there a possibility to place variables under the custody of the Linux kernel?
Ideally with persistency after reboot and unalterable between boots.
I could think of a kernel module that allows access to the variables via /proc filesystem and storing the values in the kernel keyring.
If you are looking for a way to store data securely, then you need a database of some kind and the means to ensure integrity of the data stored - which usually involves cryptography. This in itself creates several problems that need to be addressed carefully, such as key management, storage encryption, etc.
The kernel offers very few options for persistent data storage. There's keyring as mentioned which might help, but its purpose is slightly different. I have never studied the security of this kind of subsystem, so I would not be able to comment about its strength for your use case.
answered Mar 1 '18 at 8:21
PedroPedro
64939
IMO the problem is actually not having persistency.
– Rui F Ribeiro
Mar 1 '18 at 9:27
add a comment |
Attending to your original question and subsequent comments, the answer is no.
Is there a possibility to place variables under the custody of the Linux kernel?
Ideally with persistency after reboot and unalterable between boots.
I could think of a kernel module that allows access to the variables via /proc filesystem and storing the values in the kernel keyring.
If you are looking for a way to store data securely, then you need a database of some kind and the means to ensure integrity of the data stored - which usually involves cryptography. This in itself creates several problems that need to be addressed carefully, such as key management, storage encryption, etc.
The kernel offers very few options for persistent data storage. There's keyring as mentioned which might help, but its purpose is slightly different. I have never studied the security of this kind of subsystem, so I would not be able to comment about its strength for your use case.
answered Mar 1 '18 at 8:21
PedroPedro
64939
Attending to your original question and subsequent comments, the answer is no.
Is there a possibility to place variables under the custody of the Linux kernel?
Ideally with persistency after reboot and unalterable between boots.
I could think of a kernel module that allows access to the variables via /proc filesystem and storing the values in the kernel keyring.
If you are looking for a way to store data securely, then you need a database of some kind and the means to ensure integrity of the data stored - which usually involves cryptography. This in itself creates several problems that need to be addressed carefully, such as key management, storage encryption, etc.
The kernel offers very few options for persistent data storage. There's keyring as mentioned which might help, but its purpose is slightly different. I have never studied the security of this kind of subsystem, so I would not be able to comment about its strength for your use case.
answered Mar 1 '18 at 8:21
PedroPedro
64939
answered Mar 1 '18 at 8:21
PedroPedro
64939
answered Mar 1 '18 at 8:21
PedroPedro
64939
answered Mar 1 '18 at 8:21
PedroPedro
64939
64939
IMO the problem is actually not having persistency.
– Rui F Ribeiro
Mar 1 '18 at 9:27
add a comment |
IMO the problem is actually not having persistency.
– Rui F Ribeiro
Mar 1 '18 at 9:27
IMO the problem is actually not having persistency.
– Rui F Ribeiro
Mar 1 '18 at 9:27
IMO the problem is actually not having persistency.
– Rui F Ribeiro
Mar 1 '18 at 9:27
add a comment |
You have Redis for putting away information structures and getting them after reboot, as the administration spares the store while going down. Just go to the below link is helpful for you.
https://hackr.io/tutorials/learn-redis
answered 7 mins ago
Ankit DixitAnkit Dixit
1
New contributor
Ankit Dixit is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
You have Redis for putting away information structures and getting them after reboot, as the administration spares the store while going down. Just go to the below link is helpful for you.
https://hackr.io/tutorials/learn-redis
answered 7 mins ago
Ankit DixitAnkit Dixit
1
New contributor
Ankit Dixit is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
You have Redis for putting away information structures and getting them after reboot, as the administration spares the store while going down. Just go to the below link is helpful for you.
https://hackr.io/tutorials/learn-redis
answered 7 mins ago
Ankit DixitAnkit Dixit
1
New contributor
Ankit Dixit is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
You have Redis for putting away information structures and getting them after reboot, as the administration spares the store while going down. Just go to the below link is helpful for you.
https://hackr.io/tutorials/learn-redis
answered 7 mins ago
Ankit DixitAnkit Dixit
1
New contributor
Ankit Dixit is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 7 mins ago
Ankit DixitAnkit Dixit
1
New contributor
Ankit Dixit is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 7 mins ago
Ankit DixitAnkit Dixit
1
answered 7 mins ago
Ankit DixitAnkit Dixit
1
1
New contributor
Ankit Dixit is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Ankit Dixit is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Ankit Dixit is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f381462%2fsecure-variables-protected-by-linux-kernel%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
See if
man keyrings(and SEE ALSOs) can answer some of your needs.– Stéphane Chazelas
Jul 24 '17 at 16:07
Can you give a sample use case?
– sdkks
Jul 25 '17 at 1:25
A sample usecase would be an invalid password retry counter or a write only variable e.g. enter a password that can be used by an application but cannot be read back by a regular user or only after authentication.
– Reiner Rottmann
Jul 25 '17 at 16:22
I found keyrings with the keyctl utility to be a very good solution. Thanks for pointing that out! @StéphaneChazelas
– Reiner Rottmann
Aug 20 '17 at 11:18