I recently started using the Julia programming langauge and have had difficulty locating any package (or even, just, an explanation of best practice) to manage sensitive credentials, say, when connecting to a database or using various APIs.
One approach I've been using is to encode credentials into a .csv or .json file, then load the file in:
using CSV
credentials = CSV.read("C:/Users/jkix/credentials.csv")
username = credentials[:usr][1]
password = credentials[:pw][1]
The problem with this approach are obvious:
1. Julia prints the values of assignments to the screen by default, so even though the above code is portable and doesn't require any hard-coding of credentials, those credentials are visible to anyone who happens to look over your shoulder.
2. .csv and .json files store data in plaintext anyway
tl;dr: Is there a Julia package in existence for credential management?
I don't know of any package that does all the stuff. What I did, when I had to deal with it last time is encrypting the credentials (both in file and memory) using Nettle.jl and only decrypt right before accessing the service.
An alternative would be MbedTLS.jl or calling to your favorite library via run.
Related
I'm currently working on a password managing application in Meteor React and can't seem to find a way to encrypt and decrypt data on the client, with MmongoDB storing the encrypted data.
To add a little background to the task and specify what I am trying to do:
This whole application is for one single company and users are the employees only. The passwords, along with username info and some other attributes are stored in folders and users get view and edit rights to data within the folder. Passwords (along with additional info) need to be encrypted, but multiple users need to be able to access them based on the rights given to them. So when the data is encrypted, say when a person creates a password, other users with the rights to do so need to be able to decrypt this data as well. However, the decryption needs to happen on client and the server can only ever access the encrypted data.
I have tried using planifica:encryption, because it has exactly what we need for our project, but I ran into some errors and I can't get past them nor find any article about them. I have heard of Mylar in some answers to similar questions, but both Mylar and Planifica don't seem to have been updated for a few years now. I know Node.js has a crypto module, but I am not sure whether it could be used to share encrypted data among users and most importantly, how to do so.
Is there any way to do what we need for this project? I should also point out that I am relatively new to meteor and I have not dealt with encryption whatsoever, so my understanding is rather limited.
Thank you for reading!
This very much depends on the encryption you are using, but since you are interested in decrypting things client-side, it sounds like what you are looking for is the SubtleCrypto web api.
That should be all you need on top of what Meteor already provides. You should be able to use a regular meteor collection and publication to share the encrypted data with your clients, and then let them decrypt it using the above linked decrypt function. One question I'd have is how you will be able to get the decryption key to your clients while hiding it from the server, but I assume you've got that part figured out somehow.
I have a winforms application that connects to a database with a connection string and a generic user
"Database=DBADAS;Server=TMT123\\SQLEXPRESS;User ID=user; Password=*****;
After connecting into the database with a login dialog, we check if the user and password are existent in the user table from the database.
My question is now if this is a good practice? because basically in the connection string there is every information needed to crack the server.
There are a few ways to go about this safely. Since it's a Winforms app and not a web application, most of your security risks involve someone already in your network peeking at the connection string. This adds a layer of security in and of itself.
1. Hardcoded
You can hardcode the connection string that fetches the users into a DLL and make your application depend on that DLL. I only suggest this because it sounds like the "generic user" password is permanent; otherwise, you'd have to recompile code every time you changed the password, then deploy again. This is very secure, however, as the value isn't stored in plain text.
2. App.Config
You can stick it in a configuration file. Within a secured network, this is probably the most versatile option, as you can store multiple strings and easily update them without updating the full application. This goes well alongside settings like a "DebugMode" setting, etc. Using App.Config or another XML file is ideal, but you can roll a quick and dirty .txt file, too.
3. Database
Probably the most secure way of all, as you can encrypt your database and code your programs to fetch their connection strings and login information from that database by using an unrelated login. This allows greater control over what can be reached by the application when a user has not yet logged in. It also prevents the software from operating outside of the network, which may be desirable.
4. Internal API
Having a separate application serve this data divorces user capability from your concerns, as the API and your app can exchange verification keys to see if your app even has permission to try to connect. This is my personal favorite, but obviously the most work to set up.
5. Registry Entry
Depending on how you have this installed, it may work well to embed the tokens you need in the Registry. This guarantees the app requires admin permissions to install, and allows you to use Windows security to restrict access to the hive.
Again, since it's an internal non-web app, I wouldn't worry too much about the plain text of the connectionstring; if someone has gotten this far into your network, chances are you have much bigger problems already. I wouldn't leave it floating as a plain text file in a local directory, but any degree of security above that is probably acceptable for your purposes.
Encrypting Web.Config
Open Command Prompt with Administrator privileges
At the CommandPrompt, enter:
cd C:\Windows\Microsoft.NET\Framework\v4.0.30319
In case your web Config is located in "D:\Articles\EncryptWebConfig" directory path, then enter the following to encrypt the ConnectionString:
ASPNET_REGIIS -pef "connectionStrings" "D:\Articles\EncryptWebConfig"
Use Aspnet_regiis.exe tool with the –pef option and specify the application path as shown above.
Note: The parameter "connectionStrings" is case sensitive.
For Winforms: You need to rename your app.config to web.config encrypt it by using steps 1 to 3 and again rename it to app.config.
Reference: https://www.codeproject.com/Tips/795135/Encrypt-ConnectionString-in-Web-Config
I'm building a Windows Store application that uses SQLite for data storage. I have found out, that the database is easily accessible through User's local folder (actually all apps have all data publicly exposed). Is there a way to at least weakly protect the database from access?
you need to look at ProtectedData class
http://msdn.microsoft.com/en-us/library/windows/apps/windows.security.cryptography.dataprotection.dataprotectionprovider.aspx
It exposes easy to use Protect / Unprotect methods that can be used to encrypt / decrypt that at app level. Encrypt data before writing to db and unencrypt before consuming
I also looking for the same solution and found sqlite-crypt at http://sqlite-crypt.com/download.htm
I don't know whether this one good enough or not. There is a trial version that limit passphrase to 6 characters and store it as plain text in the header. It won't be suitable if you want complete data protection. But for testing, maybe it's worth a try. I don't have a chance to test it yet since I still working on the server side of my project. I'll update it when I've test it in the future.
EDIT: Ok. I've test the trial version and it's worked well with modificated version of SqliteWinRT wrapper on codeplex. Note that the trial is limited to 5-6 characters of passphrase and this phasephrase is stored in plain text, plus it's in x86 compiled binary, which means it won't work for actual product which need ARM support. You have to purchase the binary to get the production-ready binaries.
For Windows.Forms, I have an application that needs to get a unique install id for each install from my server, and then persist this data so once registered, the install ID is included on all communications back to the server. The application is in occasional contact with the server.
How can I persist this data on the client in a way that is not easily tampered with?
First, you should note that if the data is on the local file system and your application can read and write it, it will always be possible for a determined user to tamper with it... perhaps not easy, but possible nonetheless.
That said, there are a number of options you could consider, including (but not limited to) :
encrypting the data with a key defined in your assembly : pretty safe is the user has no programming skills, but an advanced user could disassemble your app to find the key. Obfuscation could make it harder to extract the key, but not impossible.
using an isolated storage : I'm not sure whether the data is encrypted or not, but at least it's not easily found, hidden in a deep folder hierarchy... Not so safe is the user knows where to look, however
writing the data in a binary format, which makes it harder to read or modify for a non expert user
using a piece of native code to encrypt the data : similar to the first option, but a native DLL is harder to disassemble than a .NET assembly, so it requires more skills to find the key
Again, all these approches are not bulletproof : as long as your program can access the data, an advanced user could always reverse engineer it and do the same...
You could save the data in the windows registry. You'll use the [HKCU\Software\YourAppName] hive key if it's a per-user setting, or [HKLM\Software\YourCompany] if it's a global setting. However, the data would need to be encrypted, because its trivila to get the values in these keys
Application: Building a small application for maintaining schedules of activity. It queries a MSSQL database. Storage for schedules is written to the MSSQL DB as well.
I've reviewed a large number of posts on stack overflow as well as googled extensively on securing the database.yml file. Maybe it's just me but I'm left with some major questions still.
1) Why exactly is storing my password in plain text in database.yml insecure? Is it because that method of storing password information is insecure in itself? Or is it because when publishing to a git repository you may inadvertently publish your database passwords in plain text?
2) If storing passwords in plain text under root/config/database.yml is insecure, why do I see a number of references to creating another yml file in the same directory to store the password? I see that some people are setting up a config.yml and creating global variables that can be used in database.yml. If this is more secure, why?
http://railscasts.com/episodes/85-yaml-configuration-file
My gut feeling is I'm missing some important knowledge on how to properly secure my database credentials. I'm really looking for an exhaustive explanation on what needs to be done to secure my credentials for sql.
Edit: I just wanted to update the context of this. I understand the need to encrypt passwords out of plain text - but I didn't understand why it seemed OK to store plain text password in other YML files.