Managing Tanium keys
Tanium as a Service automatically manages the digital keys and certificates that secure connections among Tanium Core Platform components.
The Tanium™ Protocol uses Transport Layer Security (TLS) 1.2 to encrypt communication among the following platform components, as illustrated in Figure 1:
|Tanium Server to Tanium Server in an active-active deployment
For some communications between active-active servers, such as Tanium database traffic and Lightweight Directory Access Protocol (LDAP) synchronization traffic, Tanium Appliances use IPsec instead of the Tanium Protocol.
|Tanium Servers to Zone Server Hub
Figure 1 shows the Zone Server Hub installed on a host that is separate from the Tanium Server hosts to illustrate that the connection is encrypted. However, in most Windows deployments and all Appliance deployments, you install the hub on the same host(s) as the Tanium Servers.
|Zone Server Hub to Zone Server|
|Tanium Clients (external) to Zone Server|
|Tanium Clients (internal) to Tanium Servers|
|Tanium Client to Tanium Client (external and internal)
Only Tanium Client 7.4 or later uses TLS to encrypt peer traffic.
When you install or upgrade to Tanium Core Platform 7.4 or later, TLS is enabled by default for communication among platform components. For more details about TLS, and the steps to enable or disable it, see Tanium Core Platform Deployment Reference Guide: Setting up TLS communication.
Tanium keys secure only Tanium traffic. Your enterprise public key infrastructure (PKI) governs the security of non-Tanium traffic among the endpoints in your network.
You require the Administrator reserved role to manage Tanium keys.
To manage the keys that secure connections among Tanium Core Platform components through Hypertext Transfer Protocol Secure (HTTPS) instead of the Tanium Protocol, see Tanium Core Platform Deployment Reference Guide: Securing Tanium Console, API, and Module Server access.
For details about the keys that are used to sign and authenticate content files that you import into the Tanium Server, see Authenticating content files.
The Tanium Core Platform supports TLS for additional connections that various Tanium modules and shared services require. For details, see the user guides for your Tanium products at https://docs.tanium.com.
When you install the Tanium Server, it automatically generates a public-private root key pair. These root keys are at the top of the Tanium key infrastructure and are required for all subordinate keys to secure connections among Tanium Core Platform components. You deploy the root public key to the Zone Server, Zone Server Hub, and Tanium Clients during installation or upgrade so that these components can secure communication with the Tanium Server.
The Tanium Server uses separate root key pairs for TLS communication with Tanium Clients based on their version. Initially after a fresh installation or upgrade, Tanium Client 7.4 or later uses the root public key that has the Server name <Tanium Server FQDN> Root 0 (see Figure 3). Each new root public key that you create for version 7.4 or later has a unique Server name in the format <Tanium Server FQDN> Root <#>. The root public key for Tanium Client 7.2 has the Server name legacy-root. You cannot create new keys for version 7.2.
The Tanium Server, Zone Server, Zone Server Hub, and Tanium Clients generate subordinate keys locally and request a digital signature for each key pair. The signatures are required for TLS communication. The Tanium Core Platform uses the following subordinate keys, as shown in Figure 2:
- TLS keys: Each Tanium Core Platform server and Tanium Client uses TLS keys to enable TLS communication with other servers and clients. The Tanium Server uses the root private key to generate signatures for the server TLS keys.
- Message-signing keys: The Tanium Server uses these keys to sign messages (such as for action packages) that it sends to Tanium Clients. The Tanium Server uses the root private key to generate a signature for the message-signing keys.
- Intermediate TLS keys: An intermediate TLS private key is used to generate signatures for the TLS keys of Tanium Clients. The intermediate TLS key pair resides on the Zone Server in deployments that have one (as shown in Figure 2), and on the Tanium Server otherwise. The server returns both the signature and the intermediate TLS public key to each client to enable TLS communication. Using intermediate TLS keys instead of the root keys for this function makes client registration faster and less CPU intensive. For security, you can rotate the intermediate keys independently of the root keys.
A copy of the root public key resides in the Zone Server Hub installation directory regardless of whether the hub is installed on the same host as the Tanium Server (as shown in Figure 2) or on a dedicated host.
Although root keys never expire, you can rotate them, which means generating new keys and revoking the old keys. Rotating keys is useful if your organization has a policy for periodic key rotation or the security of the active keys is in doubt. If the security of the active root keys is in doubt, rotate them immediately.
If your organization does not have a key rotation policy, the best practice is to rotate the root keys at least once every year but no more than once every six months.
You cannot rotate the root keys for Tanium Client 7.2. The Tanium Console identifies the 7.2 root keys with a Server value of legacy-root (see Figure 3).
To ensure the security of root private keys, the Tanium Console exposes only root public keys. However, when you generate or revoke a public key, the Tanium Server automatically generates and revokes the private key. Furthermore, when you rotate the root keys, the Tanium Core Platform automatically rotates all subordinate keys. Regardless of whether you rotate the root keys, the subordinate keys automatically rotate at configurable intervals.
The following steps summarize the workflow for rotating keys:
- (Optional best practice) On each Tanium Server, encrypt the pki.db file that contains the root keys, Tanium Server TLS keys, and message-signing keys. This is a one-time only task that you perform to prevent unauthorized access to the keys. See Encrypt the root keys database.
- (Optional best practice) Back up the pki.db file that resides on each Tanium Server, in case the servers later experience an unrecoverable failure. Do this whenever you rotate the root keys. See Back up the root keys.
- If your organization has a key rotation policy, configure automatic rotation for subordinate keys to match the policy. This is a one-time only task, unless your policy changes. See Configure rotation for subordinate keys.
- Generate a new root public key. The Tanium Server automatically generates a new corresponding private key and triggers the creation of new subordinate keys.
See Generate root keys.
As a best practice, wait one week before revoking the old root keys to ensure that the process of generating new keys finishes for all Tanium Core Platform components. When you revoke, any components that did not finish this process expend more processing resources and network traffic to generate new keys. However, if the security of the root keys is in doubt, revoke the old keys immediately after generating the new keys.
- Revoke the old root public key. The Tanium Server automatically revokes the associated private key and propagates the revocation directive for the old root keys and subordinate keys to all Tanium Core Platform components. For details, see Revoke root keys.
The Administration > Configuration > Tanium Server > Root Key Management page displays a tile for each root public key that is active, and also displays a grid that lists revocation details for revoked keys. In an active-active deployment, the page displays the keys for both Tanium Servers, but only after you approve trust between them (see Managing Tanium Server trust). You can identify keys by their Fingerprint, which is the hash digest of the key, and by the Server value. The root public key that the Tanium Server uses for TLS communication with Tanium Client 7.2 has a Server value of legacy-root. All the other keys are for TLS communication with Tanium Core Platform servers and with Tanium Client 7.4 or later.
As a best practice to prevent unauthorized access, specify a password to encrypt the root keys that the Tanium Server stores in the pki.db file. In an active-active deployment, perform this task on each Tanium Server.
The Tanium Console displays the values of most settings that you configure. However, for security, the console does not display the encryption password unless you manually reveal it: see View protected Tanium Server settings.
Set the encryption password
Encrypt the root keys by adding the PKIDatabasePassword setting:
- From the Main menu, go to Administration > Management > Local Settings and click New Setting.
- For the Setting Name, enter PKIDatabasePassword.
- For the Setting Value, enter a password.
- Set the Value Type to protected and click Save.
Store the password in a safe location.
Change the encryption password
After adding the PKIDatabasePassword setting, you can later change the password as follows:
- From the Main menu, go to Administration > Management > Local Settings.
- Select the PKIDatabasePassword setting.
- Click Edit, enter the new password in the Setting Value, and click Save.
As a best practice when you rotate the root keys, first back up the pki.db file that contains them, along with the associated password if you encrypted the file. You can use the backup in the event of a Tanium Server failure. Copy the pki.db file from the <Tanium_Server>/backups folder to the host where you store backups, and store the password in a secure location. In an active-active deployment, perform this task for each Tanium Server.
If you restore the backup pki.db on a Tanium Server, you must also restore the associated Tanium database to enable Tanium Clients to connect to that Tanium Server. Therefore, back up the Tanium database whenever you back up pki.db.
You can generate up to two active public-private root key pairs for each Tanium Server. Perform this task on each Tanium Server in an active-active deployment.
- From the Main menu, go to Administration > Configuration > Tanium Server > Root Key Management.
- Click Create Key beside the name of the Tanium Server that requires a new public-private root key pair. The Root Key Management page displays the root public key details in a new tile.
To prevent communication disruptions among Tanium Core Platform components, you cannot revoke a root key pair until you first generate a new key pair to replace it. Review the Key rotation workflow before revoking the old root key pair. You must revoke keys on both Tanium Servers in an active-active deployment. Revoke keys as follows:
- (Active-active deployment only) If the Tanium Server for which you will revoke the keys has only one active root key pair, you must revoke trust for that server before revoking its keys: see Revoke trust between Tanium Servers.
- From the Main menu, go to Administration > Configuration > Tanium Server > Root Key Management.
- In the Active Root Keys section, click Revoke in the tile of the public key and confirm the operation when prompted.
The Zone Server, Zone Server Hub, and Tanium Clients must authenticate the Tanium Server to enable communication with it. Version 7.4 of the servers and clients use keys (including the root public key) that are inside the initialization bundle (tanium-init.dat) to authenticate. Tanium Client 7.2 uses only the root public key (tanium.pub) to authenticate. Downloading the initialization file or public key file from the Tanium Server enables you to then deploy the file to the Tanium Clients, Zone Server, and Zone Server Hub.
Be careful not to allow the tanium-init.dat or tanium.pub file to be distributed or stored outside of your organization, such as in a publicly accessible source code repository or any other location accessible from the public internet. Limit the distribution to specific use in the deployment of Tanium Clients.
Though these files do not contain private keys and cannot be used to provide control over a Tanium environment, a user with malicious intent could use them to connect an unapproved client and use this unauthorized access to learn how your organization is using Tanium.
For version 7.4 or later of the servers and clients,tanium-init.dat is required for fresh installations. If you upgraded and plan to deploy more 7.2 clients, use tanium.pub. If you upgraded and plan to deploy new 7.4 clients, using tanium-init.dat is the best practice.
- (Active-active deployment only) Enable trust between the Tanium Servers in an active-active deployment if you haven't already. Upon establishing trust, the servers exchange the necessary keys so that the tanium-init.dat file on each server contains the public key of both servers. For details, see Managing Tanium Server trust.
- (Tanium Client 7.2 only) Enable the Tanium protocol that Tanium Client 7.2 uses to authenticate:
- From the Main menu, go to Administration > Management > Global Settings.
- Select enable_protocol_314_flag and click Edit.
- Set the Setting Value to 1 and click Save.
- From the Main menu, go to Administration > Configuration > Tanium Server > Infrastructure Configuration Files.
- Click Download in the Clients v7.4+ and Zone Server or Clients v7.2 section, depending on which file you need.
- Optionally modify the default file name, and then click OK.
The file appears in the Downloads folder on the system that you use to access the Tanium Console.
To deploy tanium-init.dat or tanium.pub, see the relevant user guide:
- Tanium Clients: See the Tanium Client Management User Guide.
- Zone Server and Hub: Go to https://docs.tanium.com and look under Tanium Core Platform Servers to find the guide for your deployment. Perform the tasks related to installing or upgrading the Zone Server and Hub.
Tanium Core Platform components automatically generate new subordinate key pairs when it is time to rotate them. For example, Tanium Clients renew their TLS keys four hours (the renewal window) before the end of each seven-day validity period (expiration interval) by default. The renewal windows ensure components have enough time to re-establish trust in the Tanium environment before the current keys expire. Configure the validity periods and renewal windows to match the policy of your organization. If your organization does not have a policy, the best practice is to use the default windows and validity periods. Perform the following steps for each type of subordinate key pair:
- From the Main menu, go to Administration > Management > Global Settings and select the setting in the grid (see Table 1).
- In the Selected System Setting pane, click Edit.
- In the Setting Value, enter the appropriate validity period or renewal window.
- In the Affects drop-down menu, select an option based on the setting:
- PKIClientTLSKeyRenewalWindowHours: Select client.
- All other settings: Select server.
- Click Save.
Last updated: 6/11/2021 8:19 AM | Feedback