On Fri, 2017-12-15 at 15:22 +1300, Gary Lockyer via samba-technical
> Patch set to encrypt the samba secret attributes on disk. This is
> intended to mitigate the inadvertent disclosure of the sam.ldb file, and
> to mitigate memory read attacks.
> Currently the key file is stored in the same directory as sam.ldb but
> this could be changed at a later date to use an HSM or similar mechanism
> to protect the key.
> Data is encrypted with AES 128 GCM. The encryption uses gnutls where
> available and if it supports AES 128 GCM AEAD modes, otherwise nettle is
There are some interesting ways this could be extended, but this is a
really good start.