<div dir="ltr">Totally fair Bryan - just trying to sort through this because it came up as an audit finding. Re that last question, that's the rub for me. For a service to start, decryption requires a key. Armed with the key, a nefarious sysadmin can open the file and get the rest of the data. But I'm struggling with the all or nothing dynamic. I know in Windows, a local user/password can be set to start a service and that password cannot be identified by looking at some text file. Unix works a little differently I know. Okay, a lot differently. ; )<div>
<br></div><div>Ideas I had (feel free to blow these up):</div><div><ul><li>encrypting the conf file<br></li><li>encrypting just the tokens/passwords values within the conf file<br></li><li>starting services from a remote location which reduces the credential exposure to sysadmins<br>
</li></ul></div><div>Also open to other ideas. Is the problem statement clear though / what I'm trying to sort through? Is embedding credentials in text files best practice or is it such a common practice that the method isn't really that big of a deal? Would prefer not to boil the ocean if I can avoid it but trying to find a path forward...</div>
<div><div><br></div></div></div><div class="gmail_extra"><br clear="all"><div><div dir="ltr"><div><font><div style="font-family:arial;font-size:small"><b><i><br>Adam Lawson</i></b></div><div><font><font color="#666666" size="1"><div style="font-family:arial;font-size:small">
AQORN, Inc.</div><div style="font-family:arial;font-size:small">427 North Tatnall Street</div><div style="font-family:arial;font-size:small">Ste. 58461</div><div style="font-family:arial;font-size:small">Wilmington, Delaware 19801-2230</div>
<div style="font-family:arial;font-size:small">Toll-free: (844) 4-AQORN-NOW</div><div style="font-family:arial;font-size:small">Direct: +1 (302) 268-6914</div></font></font></div></font></div><div style="font-family:arial;font-size:small">
<img src="http://www.aqorn.com/images/logo.png" width="96" height="39"><br></div></div></div>
<br><br><div class="gmail_quote">On Wed, Apr 23, 2014 at 1:30 PM, Bryan D. Payne <span dir="ltr"><<a href="mailto:bdpayne@acm.org" target="_blank">bdpayne@acm.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr"><div class=""><span style="font-family:arial,sans-serif;font-size:13px">There are several issues with this approach and the code below. But perhaps the clearest way to understand the issue here is to ask, "Where would the decryption password be stored?"</span><div>
<font face="arial, sans-serif"><br></font></div></div><div><span class="HOEnZb"><font color="#888888"><font face="arial, sans-serif">-bryan<br></font></font></span><div class="gmail_extra"><br><br><div class="gmail_quote">
<div class="">On Wed, Apr 23, 2014 at 9:48 AM, Adam Lawson <span dir="ltr"><<a href="mailto:alawson@aqorn.com" target="_blank">alawson@aqorn.com</a>></span> wrote:<br>
</div><div class=""><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr">How feasible (or unfeasible) would it be for each service to look for an encrypted conf file and use the clear text version if the encrypted file doesn't exist? The file could be all settings but technically only credentials and tokens would need this level of protection in my estimation.<div>
<br></div><div>I could envision doing this, for example, with OpenSSL as follows (bash for example):</div><div><div> #!/bin/bash</div><div> #OpenSSL file encryption</div><div>decrypt=credentials.txt</div><div>encrypt=${decrypt}.encrypted</div>
<div>if [[ $# -eq 0 ]] ; then #encrypt creds in file</div><div> read username</div><div> read -s password</div><div> #write creds to the file</div><div><span style="white-space:pre-wrap"> </span>echo ${username}:${password} | openssl des3 -salt -out $encrypt</div>
<div>elif [[ $1 = '-d' ]] ; then<span style="white-space:pre-wrap"> </span>#decrypt creds from file</div><div> openssl des3 -d -salt -in $encrypt -out $decrypt</div><div>else</div><div> echo "Error: $1 invalid. Decrypt='-d', Encrypt=no-args" >&2</div>
<div> exit 1</div><div>fi</div></div><div><br></div><div>Thoughts? It just seems (to me of course) like a meaningful design option for companies who cannot afford to give credentials to all sysadmins with sudo access to *any* of the nodes for a given solution.</div>
<div><br></div><div><br></div></div><div class="gmail_extra"><br></div></blockquote></div></div></div></div></div>
</blockquote></div><br></div>