Add certificate to db from UEFI Shell - uefi

I'm in edk2 UEFI Shell and there is no access to filesystem or network. Secureboot is already enabled and all vars PK, KEK, db, dbx are set. I know that if there is access to filesystem or network I can pull in new cert and add it to db using dmpstore command. I also explored hexedit command to create a binary file with new cert but did not work as no filesystem. So is there a way to add/append cert to db when there is no file system and network access from UEFI shell?

Related

Access remote database federation DB2

I have 2 systems. system A and system B and both are DB2 servers. I want to be able to access system B database from system A. Both have a database called TESTDB. I am trying to run the following command to create a server.
CREATE WRAPPER "drdawrapper"
LIBRARY 'libdb2drda.so'
OPTIONS (DB2_FENCED 'Y'
);
db2 "CREATE SERVER "PRD_SERVER_SSL_FLEX" TYPE DB2/UDB VERSION '11' WRAPPER "drdawrapper" AUTHORIZATION "xyz" PASSWORD "xyz" OPTIONS (DB2_CONCAT_NULL_NULL 'Y',DB2_VARCHAR_BLANKPADDED_COMPARISON 'Y',DBNAME 'TESTDB',HOST '169.62.253.230',NO_EMPTY_STRING 'N',PORT '50001',SECURITY 'SSL',STRING_UNITS 'S');"
But I keep getting:
DB21034E The command was processed as an SQL statement because it was not a
valid Command Line Processor command. During SQL processing it returned:
SQL1101N Remote database "TESTDB" on node "<unknown>" could not be accessed
with the specified authorization id and password. SQLSTATE=08004
Node directory:
db2 list node directory
Node Directory
Number of entries in the directory = 1
Node 1 entry:
Node name = TESTNODE
Comment =
Directory entry type = LOCAL
Protocol = TCPIP
Hostname = 123.21.23.12
Service name = 50001
The credentials are correct. I am not sure what node is it looking for. Any pointers?
Your question is more about configuration than programming.
As you appear to be encrypting the federated connection it can be wise to first verify that the encrypted connection works at the command-line, separately from federation. This irons out a lot of the detail and is easier to troubleshoot. After you get that working, you can then begin on encrypting the federated connection.
Please follow the detailed instructions here (choose the correct Db2-version):
You have to know in advance which kind of SSL/TLS trust verification you want (i.e. either single cert (client trusts the server - simplest and easiest), or multiple certs (both sides trust the other - more setup, arguably more secure), because this determines the configuration.
Ensure both of your Db2 instances and databases are properly configured for SSL.
Catalog the remote-node locally with security SSL (db2 catalog tcpip node ... remote ... server ...security ssl)
Catalog the remote-database locally on the new node name (db2 catalog database ... at node ...) followed by db2 terminate .
Verify a command-line connect to the remote database using the federated credentials, using the configured db2dsdriver.cfg if using SSLSERVERCERTIFICATE method, or using the keystore/stash configuration ( db2 connect to remotedb user ... using ... ). Use the same userid/password that you will use later in the create server command.
Once that command-line connect works, you can proceed with the encrypted federation link, via db2 create wrapper... and db2 create server....
There's no need to use quotes around the wrapper name, just let it fold, otherwise quotes are just annoying redundant noise, although it is not a mistake.
Inside the script for create server command options instead of AUTHORIZATION "xyz" PASSWORD "xyz" use AUTHORIZATION \"xyz\" PASSWORD \"xyz\" (i.e. escape the quotes).
For one-sided trust, use SSL_SERVERCERTIFICATE in the create server options clause and ensure the value is accurate (fully qualified path to the remote-db2instance-certificate-file), and that the file/directory permissions are valid.
For mutual trusts, use both SSL_KEYSTORE and SSL_KEYSTASH keywords with correct values, in the create server options clause (having previously ensured your keystores are properly populated, as verified by a command-line connect above).
You may also want to consider create user mapping depending on the requirements.
Finally you can create your nicknames, and test out the federated link by querying those nicknames.

Is there a way to keep Windows EFS encryption metadata in place when uploading a file to Linux?

I am trying to copy an EFS Encrypted zip file from Windows to a Linux server (through OpenSSH scp). It was encrypted using the PowerShell .Encrypt() method. Unfortunately, for whatever reason, when I download the file from the Linux server to a Windows machine, it can't be opened because the Windows machine does not detect it's EFS encrypted, and just regards it as an unreadable zip file.
I have exported the EFS key from the first computer and installed it on the computer that opens the file. The file is successfully detected as an EFS encrypted file when I use a USB key to move the file around and can be opened properly.
The PowerShell script that I'm trying to create should be invisible to the user. Another question is: could creating and mounting a VHDX file still be part of a script that doesn't interrupt the normal workflow of the user?

Postgres Data Encryption at Rest Using LUKS with dm-crypt

We are trying to encrypt Postgres data at rest. Can't find any documentation to encrypt Postgres data folder using LUKS with dm-encrypt.
No special instructions are necessary – PostgreSQL will use the opened encrypted filesystem just like any other file system. Just point initdb to a directory in the opened file system, and it will create a PostgreSQL cluster there.
Automatic server restarts will fail, because you need to enter the passphrase.
Of all the ways to protect a database, encrypting the file system is the least useful:
Usually, attacks on a database happen via the client, normally with SQL injection. Encrypring the file system won't help.
The other common attack vector are backups. Backups done with pg_dump or pg_basebackup are not encrypted.
But I guess you know why you need it.

Error when enabling data encryption using local key MONGODB

I have successfully encrypted the communication in mongoDB but when I try to enable the data encryption I'm getting errors. I am using the enterprise edition of mongoDB with version 3.2.4. I get the following message in the console:
ERROR: child process failed, exited with error number 14
But when I look at the logs I see detailed error as follows:
Unable to retrieve key .system, error: there are existing data files, but no valid keystore could be located.
Fatal Assertion 28561
following is the snippet of my config file:
# enable authentication
security:
authorization: enabled
enableEncryption: true
encryptionKeyFile: /home/test/mongodb-keyfile
It works fine without the enableEncryption, and encryptionKeyFile parameters. Could anyone explain what i'm missing here? thanks!
MongoDB's encrypted storage engine supports two key management options:
Key Manager : Integration with third party key management appliance via the Key Management Interoperability Protocol (KMIP).
Local Key: Use of local key management via a keyfile.
Worth mentioning that using a key manager meets regulatory key management guidelines and is recommended over the local key management.
If you are using Key Manager option, please see KMIP Master Key Rotation.
Since you are using the Local Key option, if you have a Replica Set deployment you could rotate the replica set member. This would re-sync data from the un-encrypted to the encrypted mongod.
Alternatively if you only have a standalone mongod, you could:
Back Up your database files.
Stop mongod process.
Delete or move existing database files in dbpath. Exercise extra caution! - If you are deleting, make sure you have a backup data.
Restart mongod with --enableEncryption and --encryptionKeyFile.
Restore backup files to the restarted and encrypted mongod.
As an example, you could use mongodump to dump the data, and use mongorestore to restore the dump files.
Lastly, note that MongoDB Enterprise edition is a commercially supported product. I'd suggest opening a support case if you have a Commercial Support subscription.

Postgresql cluster initialization

SQL distributes pre-initialized catalog cluster but for postgresql we need initialize cluster using initdb and a network service account. It fails in few cases and causing bit of misery!
Can initialize cluster ourselves and distribute pre-initialized cluster?
Thanks
The "cluster" (or data directory) depends on the operating system and the architecture. So a data directory that was initialized with initdb on a 32bit Linux will not work on a 64bit Windows.
But you don't need to do that. A service account is only necessary if you want to run PostgreSQL as a service.
You can easily use the ZIP distribution to install and start Postgres without the need for a full-fledge installation or a service account.
The steps to do so are:
Unzip the binaries
Run initdb pointing it to the directory where the database cluster should be created.
Run pg_ctl to start the server.
Note that the steps 2) and 3) must be run using the same user, otherwise the server will have no priviliges to write to the data directory.
These steps can easily be put into a batch file or shell script.
Hard to understand your question, but I think you are talking about the Windows installer for PostgreSQL. Right? What version, what installer, what about error messages, loggings, etc. ?
The installer can be found here.
SQL = database language, SQL Server =
Microsoft database product