A key component of security is ensuring data integrity at REST, or in this case, for stored SSL keys.

Locally Stored Keys

Private keys are never stored on an Avi Load Balancer Service Engine’s file system. They are pushed down to the SEs from the Avi Load Balancer Controller and kept in memory for establishing the SSL session with clients. If an SE is compromised or rebooted, all configurations, including the private key and public certificate, will be wiped. When the SE comes back online, a Controller might repurpose the SE with a new (or the same) configuration or delete the SE, depending on the circumstances.

The Controllers store the keys locally in a database in which sensitive information is encrypted. The keys will be encrypted during backups, provided a passphrase is included during the backup process. To encrypt (all sensitive fields like passwords or private keys) before storing them in the database, use the following:

  • Encryption Algorithm: AES_256_CBC

  • IV: 16-byte random data

  • Key: random 32 bytes

User passwords are hashed using the PBKDF2 (Password-Based Key Derivation Function 2) algorithm with a SHA256 hash. All other passwords, for instance, cloud credentials, are also encrypted using this method.

As the Controllers store the system configuration, including the private SSL keys, it is critical to ensure proper security. Numerous options exist to lock down the access levels of administrators, ensure strong passwords, and limit administrative source IP address ranges.

For administrators having full access to the certificates and keys, an attempt to export a private key will be noted in the Operations > Events > Config Audit log. Using role-based access, export ability must be restricted to the fewest number of administrators possible.

Thales Luna (formerly SafeNet Luna) HSM and Externally Stored Keys

Avi Load Balancer supports external hardware security modules and certificate stores to guarantee a higher level of physical security. The original key is stored on the external system, with the public key available to Avi Load Balancer. It supports the following types of external key stores: