<div dir="ltr"><span style="font-family:arial,sans-serif;font-size:13px">There are several issues with this approach and the code below. But perhaps the clearest way to understand the issue here is to ask, "Where would the decryption password be stored?"</span><div>
<font face="arial, sans-serif"><br></font></div><div><font face="arial, sans-serif">-bryan<br></font><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Apr 23, 2014 at 9:48 AM, Adam Lawson <span dir="ltr"><<a href="mailto:alawson@aqorn.com" target="_blank">alawson@aqorn.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr">How feasible (or unfeasible) would it be for each service to look for an encrypted conf file and use the clear text version if the encrypted file doesn't exist? The file could be all settings but technically only credentials and tokens would need this level of protection in my estimation.<div>
<br></div><div>I could envision doing this, for example, with OpenSSL as follows (bash for example):</div><div><div> #!/bin/bash</div><div> #OpenSSL file encryption</div><div>decrypt=credentials.txt</div><div>encrypt=${decrypt}.encrypted</div>
<div>if [[ $# -eq 0 ]] ; then #encrypt creds in file</div><div> read username</div><div> read -s password</div><div> #write creds to the file</div><div><span style="white-space:pre-wrap"> </span>echo ${username}:${password} | openssl des3 -salt -out $encrypt</div>
<div>elif [[ $1 = '-d' ]] ; then<span style="white-space:pre-wrap"> </span>#decrypt creds from file</div><div> openssl des3 -d -salt -in $encrypt -out $decrypt</div><div>else</div><div> echo "Error: $1 invalid. Decrypt='-d', Encrypt=no-args" >&2</div>
<div> exit 1</div><div>fi</div></div><div><br></div><div>Thoughts? It just seems (to me of course) like a meaningful design option for companies who cannot afford to give credentials to all sysadmins with sudo access to *any* of the nodes for a given solution.</div>
<div><br></div><div><br></div></div><div class="gmail_extra"><br></div></blockquote></div></div></div></div>