Werk #15197: Improve Symmetric Agent Encryption on Linux

Komponente Checks & agents
Titel Improve Symmetric Agent Encryption on Linux
Datum 08.12.2023
Level Kleine Änderung
Klasse Neues Feature
Kompatibilität Kompatibel - benötigt kein manuelles Eingreifen
Checkmk versions & editions
2.3.0b1 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)

This Werk improves the agent's built-in symmetric encryption for Linux hosts.

The new encryption scheme adds authentication of the encrypted data and improves the method used to derive cryptographic key material from the shared secret configured in the rule. To use the new encryption scheme, OpenSSL >= 1.0.0, better OpenSSL >= 1.1.1, must be available on the host.

For testing and debugging purposes, a bash script to decrypt the agent's output can be found in the Checkmk repository under doc/treasures/agent_legacy_encryption/decrypt.sh.

Older encryption schemes can still be decrypted by the Checkmk site.

Important disclaimers:

If the Agent Controller with TLS encryption is available, use that instead. The build-in symmetric encryption should only be used if TLS is not available. Moreover, there is no advantage in using both. Disable the symmetric encryption if you can use TLS.

The security of this encryption scheme strongly depends on the security of the shared secret configured in the rule. Use a long, random secret.

Zur Liste aller Werks