Data privacy in KDC

Yegui Cai caiyegui at
Mon Mar 4 12:37:37 EST 2019

Hi Greg.
Thanks a lot for your reply.

A further question regarding 3. The database files (principle,
principal.kadm5) are not encrypted, am I right?


On Mon, Mar 4, 2019 at 12:16 PM Greg Hudson <ghudson at> wrote:

> On 3/4/19 11:45 AM, Yegui Cai wrote:
> > 1. If I have multiple tenants sharing the same KDC (say, a tenant is
> mapped
> > into a realm), how KDC make sure that the data is segregated between
> realms?
> The best option is probably to run separate KDC processes for each
> realm, with each process listening to a different port.
> It is possible for a single KDC process to serve multiple realms, but it
> is not a common configuration, and kadmind doesn't have the same
> facility.  In this configuration, each realm still has its own separate
> database, and the KDC will only access the database for the request that
> is currently processing (based on the realm field of the KDC-REQ-BODY).
> > 2. Similar questions regarding logs. Is there any way to segregate logs
> > between different realms?
> With separate KDC processes, each can have its own kdc.conf file with
> different [logging] directives.
> With one KDC process serving multiple realms, I don't believe there is
> any way to keep the logs separate.
> > 3. If I use the default data storage (Berkeley DB if my understanding is
> > correct), how data is encrypted at rest?
> Principal long-term keys are encrypted in a master key; the master key
> is typically located in a stash file separate from the KDB so that it
> can be backed up more securely (or not at all).  Other principal
> metadata is not encrypted.

More information about the Kerberos mailing list