Using Password encryption for other purposes

(imported topic written by Bill.Ehardt)

I love the password encryption/local user section of labs. I’m trying to pick it apart and use it for a different case.

We want to change service accounts for our SQL services across 600+ endpoints. This of course means we’d need to send a password, which prior to Labs was a no-no. I can handle the piece to update the accounts with no issues, I just want to see if I can make a “custom” action that secures the password/

Has anyone done something like this? The action that is pushed to add a local user is fairly easy to pick apart, but I’m trying to find out how the BigFix server encrypts the password. Is there any documentation on this?

(imported comment written by Zakkus)

We dont have any proper documentation on it, though I can give you a bit of a primer.

The first step to using encryption is that we create a public/private key pair on each endpoint. We then report the public key up through an analysis.

Now we have a public key for every computer. In the wizard on the console (rather than through the server), we run openSSL to encrypt the strings for each of the computers. From there it’s just a matter of making the action, which as you noted is pretty straight forward (just find the right encoded string for each computer, decrypt, and use).

We have developed some modules internally to help make using this method easier (we are now doing this in several products). I can give it to you if you want, though since it was developed for internal use, i am not sure how easy to use it would be (might require our full development framework, I’ll check it out).

(imported comment written by SystemAdmin)

Hi Zak,

We would be interested in that too. I’m excited about the PKI infrastructure that this gets into place. I’d like to leverage it to deploy other secure data.

(imported comment written by Zakkus)

We have a pair of dll’s we use on the client and in a dashboard to accomplish this. Once we get them properly signed, ill post them up on the wiki with some info on how to use them.

-Zak

(imported comment written by SystemAdmin)

Thanks Zak! That would be awesome. We have several use cases for transporting secure data where this would be really handy.