I'm using Play 2.1.x and I'm wondering if there is a way to encrypt passwords that might be needed for database access? I have a configuration entry that stores the database server url, user credentials for accessing the database and I do not want to leave my password as plain text. How can I have my user credentials encrypted? I want to later un-encrypt when I use them within the context of my Play server. Any pointers?
The problem is where would you store the decryption key. If you store it in the same (or similar) configuration file, the entire exercise is moot.
I am guessing that you do not want to put the plain text password in application.conf to avoid having it show up in version control system. One way of mitigating that kind of leak is to have a different store for sensitive configuration files for production systems (a different repository that has fewer accessors works nicely).
Related
We are going to encrypt Mule servers and we need to store the private key for the same as environment variable. Where it should be stored ; in wrapper or in mule-conf xml OR could there be any other way to store the same?
It really depends what goal you have in mind - keep it secret/not readable, have it common for environment, have it common in cluster, share between projects/applications, have ability to modify, etc.
The most obvious and simplest way is to keep it in mule-project.xml.
Most important is the question - from whom it should be secret and not readable? You can store it(secret) in file which is readable only by particular user ID, so nobody (except root) can read it. You can store it in system environment variable. You can change it a little on the fly so nobody (even root) knows real value. However it will be in the application anyway (just before you submit it to encryption algorithm) and you don't trust your own application it will have this secret anyway. Determine whom you not trust and block them. But you cannot block absolutely everybody.
Most likely you want to prevent one environment (like DEV) to know secret for another environment (like PROD). Then store it is system environment variable and developers will not know it for PROD. Afraid that PROD root will use this secret by itself? Modify secret inside program (like add extra word) and root could not figure it out. But if developer who knows this approach tells root how to modify secret or vive versa root tells developer what is the system variable then we are back to stage where you cannot keep secret from absolutely everybody.
I have a project running in vb.net. It's currently a very small project, so I have used XML serialization as the main way of storing information. I.e. creating a xml file in the .exe folder. and saving/reading from there.
Problem: Since the project is small, I have no SQL database setup and I would like to keep it that way. But I do want to create a user/password for access to the program.
What I have tried: I have tried using XML serialization, but hiding the xml file. Once I hide it, I'm unable to access the file (saying I have no permissions).
What's a good way to have the same utility without using SQL and not giving away security?
Hiding the file is pointless. You should simply hash the passwords and then store the data just as you do for any other data. That's exactly what you'd do if you were using a database too. When a user registers, you hash the password they provide and store the result. Anyone can then view the data without breaching security because they cannot get the original value from the hash. When a user logs in, you hash the password they provide and compare that to the value in the database and, if they match, the user is authenticated.
You should do some reading on hashing in general and also consider adding a salt for extra security, although that may not be worthwhile in this case.
I am writing a program in vb.net that requires a user to log in before he can use the application. The main user is created when the program is installed, similar to how windows works when it is installed.
The main user can add additional users to the program. I already know that I should store the passwords encrypted. My question is, where should I store the usernames and passwords? The registry, Isolated storage or .config file. I don't want any user to be able to modify/delete that file as the other user would obviously not be able to log in. Also, this file should be accessible for any user that logs into the computer.
The computer is not guaranteed to be connected to the internet, so it must be stored locally.
Thanks
To tell you the truth if someone has the will power to look for the file they will find it, so storage can help up security but I would focus on the contents of the file itself.
You could try to store the data of the application as a encrypted file which could stop the amateur attempts but as you are using the .net framework your program could could be decompiled and any symmetric encryption algorithms could be rendered useless.
I think your best bet would be to either generate a seed according to the computer the program is on, and if decryption fails call home or go into Lock Down.
Another option would be to store the encrypted (encrypted with your symmetric key) file and a hash file (in different locations probably). If the hash of the loaded file then does not match the hash file your program could then call home (If you have a home to call).
This is just a idea, haven't actually tried anything like this.
If you are not able to use windows users/credentials in any way on the machine, then there really is no absolute way to prevent the file from being removed/changed, Since anyone on the computer has the same access as the main user, who needs rights to modify the file in order for him to add users through the program.
The only way to do it for sure is to have the main user logon with a different user name, and set the file permissions on that file/folder to make sure that only the main user has modify permission to the file (and the other user account does not have the right to modify permissions). I know you said it wouldn't work in your environment(which is?) but you might be able to create users and run stuff under different credentials through your code without having the users log on any different.
The only crazy way I can think of is to create a service on the computer that once it starts running, it opens and holds a handle to that file with sharing set such that no other process can open the file for writing. You'd of course have to workout some way for the main user to be able to add users.
I'm writing a backup program for personal (for the moment at least) use.
For some directories (network directories / protected directories) credentials are needed to access them.
I can setup different jobs in the program to run at specific times.
These jobs are stored in an XML file.
I want to also store the usernames and passwords which the jobs will need.
What and where would be the best way to store these?
Changing permissions on the directories is not an option.
Thanks in advance!
You should never store the logon password for a user in Windows in order to be able to access a local directory. Instead, your backup program should run as a user that has the SeBackupPrivilege enabled (i.e. run the backup from a service that runs as the local system). This means that you won't need to change the permissions.
You may also need to make sure that you are doing a Volume Shadow Copy first that you are copying from - don't copy directly from the disk since that may cause your backup to be inconsistent.
Also, you need to take special care for encrypted files and will need to use ReadEncryptedFileRaw for this.
You could execute the backup program as a scheduled task, running as a specific user.
As for storing passwords you can store them using IsolatedStorage and using a two way encryption to make it harder for someone to decipher the file if they manage to find it.
Check out this SO question for implementing two-way encryption.
How is authentication handled in CouchDB? Say I create Admin users and Readers, and assign them roles. Say also that I assign them to an individual database. On the file system level, is there a way for someone who is not authenticating, to look at the data that is stored in the database? Is the data stored as plain text in a file? How is this handled in CouchDB?
Through the database interface, roles are just as strong as they are in any other database. As long as they can't get hold of the files, it's absolutely as secure as your permissions and passwords. However, if they do, there's absolutely no compression or encryption built into CouchDB. Encrypt the data in your code (or your abstraction layer if you use one) if file system access control is a concern - of course anyone who gets hold of your DB filesystem could probably find your code's decryption keys, as well.
It's not a plain text file, it's a binary file that combines the data and indices, but you could copy it to a local CouchDB install and view it that way, or just open it in a good text editor. The data chunks are stored in plain text (JSON, actually) and isn't hard to read, though binary attachments remain binary.