Open Stack

There are several issues with this approach and the code below.  But
perhaps the clearest way to understand the issue here is to ask, "Where
would the decryption password be stored?"

-bryan


On Wed, Apr 23, 2014 at 9:48 AM, Adam Lawson <alawson at aqorn.com> wrote:

> How feasible (or unfeasible) would it be for each service to look for an
> encrypted conf file and use the clear text version if the encrypted file
> doesn't exist? The file could be all settings but technically only
> credentials and tokens would need this level of protection in my estimation.
>
> I could envision doing this, for example, with OpenSSL as follows (bash
> for example):
>  #!/bin/bash
>  #OpenSSL file encryption
> decrypt=credentials.txt
> encrypt=${decrypt}.encrypted
> if [[ $# -eq 0 ]] ; then #encrypt creds in file
>     read username
>     read -s password
>     #write creds to the file
> echo ${username}:${password} | openssl des3 -salt  -out $encrypt
> elif [[ $1 = '-d' ]] ; then #decrypt creds from file
>     openssl des3 -d -salt -in $encrypt -out $decrypt
> else
>     echo "Error: $1 invalid. Decrypt='-d', Encrypt=no-args" >&2
>     exit 1
> fi
>
> Thoughts? It just seems (to me of course) like a meaningful design option
> for companies who cannot afford to give credentials to all sysadmins with
> sudo access to *any* of the nodes for a given solution.
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20140423/76c057d4/attachment.html>