A configuration file (.yml) is being used for a rest api developed with Dropwizard (0.9.2 - latest release). Most of the credentials needed by the api such as database password secret key etc., are stored in the configuration file.
We have implemented most of the things based on the items mentioned in the reference found at dropwizard configuration reference .
The question is clear. How secure is it (storing these information in a configuration file as plain text.)? If not, what is the proper way of doing this?
Yes, it's not secure indeed. Even worse if the configuration file is committed to a public repository or for that matter any repository (version control). One way which I follow is to maintain a local copy (not to be committed to any repository) of the config (.yml) file which has all the sensitive keys & details etc and maintain another example config file which has the sensitive details masked (some dummy strings instead of actual values). This example config can be committed to your repository as it has sensitive details masked.
For all purposes of running your code locally or elsewhere use the local config file. This way you don't risk it to exposing sensitive data on a repository. There is an overhead though in keeping your example config in sync with your local copy whenever you make any modifications.
I just looked for the solution for the similar issue. I want to find an solution to not include the keystore password in the config file. Finally I got an solution for it.
Just stored credential keys in the config file. And then use a substitutor to replace the keys with it's related values. But this need a secure key value services to get the values of the keys.
Overriding server connector config with env variables with dropwizard
Related
In my ADO build pipline, I have a secure file download step. When we branch versions, we use powershell to do the heavy lifting with cloning build definitions and updating settings/info in the cloned pipeline.
One issue I've run into is that the Secure File Download step doesn't accept variables, and in the UI you can only select names of files that already exist, so we've had to manually update it after every new branch we create.
I've grabbed the definition task step in powershell (as $step) and was hoping I could set the $step.inputs.fileInputs to a variable I assign to something like cert-$newVersion, however it currently is set to a guid.
Does anyone know if it possible to get the guid of secure files in ADO via the API or have a solution?
Does anyone know if it possible to get the guid of secure files in ADO via the API or have a solution?
Yes. This API exists.
You could try to use the following Rest API:
Get https://dev.azure.com/{OrganizationName}/{ProjectName}/_apis/distributedtask/securefiles?api-version=6.1-preview.1
Result:
You could get the secure file GUID based on the file name.
people say to put pwds in envariables instead of config files
can a hacker access env vars through a trojan?
if I put my pwds in a .php file, it will be interpreted and nothing goes to client
the file sys security is old and tested so I trust .php
but what about env vars?
Environment variables are even older, and more tested than PHP.
Putting passwords in PHP is a terrible idea because you probably have multiple copies of your PHP files around (e.g. in source control, or in backups etc) which become alternate attack vectors.
Putting a password in the environment is preferable, because it's a different kind of system that the attacker has to penetrate first.
Even better yet, would be to put your passwords in a config file that is read by your PHP application, but exists in a vault or configuration repository that is only accessible to your operations team (who presumably has a need-to-know).
Of course, this is all moot if you don't have a strong secrutiy posture on your server or development environments.
That depends on the security of the cloud service provider you are using (AWS, GCP, etc), most of whom are pretty secure. If you are talking about local development server, and pushing your code to an github, just make sure to add .env to your .gitignore, and you should be good.
I need to use encryption on private/personal user data. I am going to use the following encryption library.
RbNaCL
I need a way to store the KEY outside of version control so I can run the app locally. When pushing the code to our hosting company I can put the KEY in the server env variables. Just not sure how and the best way to do it locally.
I should note that all developers working on the project use the same database so we all need the same KEY for development and staging environment.
https://www.happybearsoftware.com/how-to-actually-do-a-cryptography-in-ruby
I think what you are asking is how to keep a .env out of version control while in the repository, people collaborating should know about the what are the enviroment variables. Normally .env-sample (which is a dumy in which all variables are kept without values) is tracked and while .env is ignored (by adding it in .gitignore in case of git)
Typically, secrets never get committed to repositories. Just put them in a config file (like config.yaml or secrets.xml or env.sh or similar); copy the file (to something like config.yaml.example or secrets-skel.xml or env.sh.sample); put the first one into .gitignore (or equivalent, if you're a non-Git heretic), and replace all the secrets in the second one with placeholders. Commit the second one so that everyone who checks out the project will know the format that they should have; but the secret one never touches the repository. If you need to share keys between developers, do it in another way (from IRC/Slack/Email to encrypted USB storage device, depending on how confidential the stuff is).
If you go with YAML-ish kind of solution, in code you can try to find the file, if it is absent then use environment, or vice versa - look up environment, if no variable is there look for the config file to read from (and possibly even stuff it into ENV so you don't need another config object; you might do it in config/application.rb kind of thing. If you go with env.sh kind of approach, you can declare environment variables directly; when you need to start developing, you can source env.sh (or shorter . env.sh) to set them up.
I should note that all developers working on the project use the same database so we all need the same KEY for development and staging environment.
Store the key, and any other shared secrets, in a secure shared vault. Many password managers provide shared vaults, such as 1Password or LastPass.
Then each developer can copy the key from the shared vault and set it in their development environment.
I've tried a variety of solutions and I can't find something that works. My problem is that I want to be able to put a deployment key (what GitHub calls a personal authorization token or personal OAuth token) into an encrypted variable in my Travis settings for the repository so that the configuration file never has to change. For example, I'd like to do this:
deploy:
api_key:
secure: $DEPLOYMENT_KEY
I could now checkin code that doesn't need to be changed in order to be deployed. If multiple people were to fork my repository, they could simply add their own Travis variable and not touch the code at all.
However, I've been unsuccessful in getting this to work. What sequence would accomplish this, if it's possible at all?
Solution
I accepted the answer below that put me on the right track, although the actual text that I needed in my configuration file wasn't shown. I've put it here:
deploy:
api_key: $DEPLOYMENT_KEY
I had a "eureka!" moment and realized that any subway of 'secure:' could be replaced with an actual unencrypted value, which is what Travis inserts when you substitute an encrypted variable. (It does the decryption and puts the result into the variable, which is then substituted into the api_key by the dollar sign.)
You cannot write:
deploy:
api_key:
secure: $DEPLOYMENT_KEY
Decryption happens in an early stage of Travis CI build processing; the encrypted value will be passed on to the app which compiles the bash script to build. Since the part that is responsible for decrypting secrets doesn't know anything about $DEPLOYMENT_KEY, this configuration will fail.
To achieve what you are after, you can use the repository settings to define secrets. See https://docs.travis-ci.com/user/environment-variables#Defining-Variables-in-Repository-Settings.
Thus, I understand that:
either, you put an awful long encrypted key in your .travis.yml
or, you put an unencrypted key in a Travis environment variable, so that if any developer of the GitHub project can add in .travis.yml something like:
echo "${API_TOKEN:0:1}%POISON%${API_TOKEN:1}"
he can get your private API_TOKEN secret by reading travis logs (even if your variable is not set as DISPLAY VALUE IN BUILD LOG since this hack disrupts the usual [secure] replacement in logs)
Reminder: since GitHub API_TOKEN is not restricted by repository, that bad guy can do anything with all your repositories (write access and read access to your private repo).
NB: I found this blog post with a more safe solution (but not perfect) which requires an external server to serve temporary API_TOKEN.
Is there any other solution ?
As part of automating my jenkins setup I need to add credentials for use with any svn configuration in my build jobs.
Manually you would add a domain to here
http://< your server >:8080/credential-store/
Then add credentials here:
http://< your server >:8080/credential-store/domain/< your domain >/newCredentials
Has anyone managed to automate this? There doesn't seem to be a usable api and the xml files contain hashed passwords which stops me from just copying
files around (plus i worry about security with this)