Data privacy in KDC

Greg Hudson ghudson at
Mon Mar 4 12:15:57 EST 2019

On 3/4/19 11:45 AM, Yegui Cai wrote:
> 1. If I have multiple tenants sharing the same KDC (say, a tenant is mapped
> into a realm), how KDC make sure that the data is segregated between realms?

The best option is probably to run separate KDC processes for each
realm, with each process listening to a different port.

It is possible for a single KDC process to serve multiple realms, but it
is not a common configuration, and kadmind doesn't have the same
facility.  In this configuration, each realm still has its own separate
database, and the KDC will only access the database for the request that
is currently processing (based on the realm field of the KDC-REQ-BODY).

> 2. Similar questions regarding logs. Is there any way to segregate logs
> between different realms?

With separate KDC processes, each can have its own kdc.conf file with
different [logging] directives.

With one KDC process serving multiple realms, I don't believe there is
any way to keep the logs separate.

> 3. If I use the default data storage (Berkeley DB if my understanding is
> correct), how data is encrypted at rest?

Principal long-term keys are encrypted in a master key; the master key
is typically located in a stash file separate from the KDB so that it
can be backed up more securely (or not at all).  Other principal
metadata is not encrypted.

More information about the Kerberos mailing list