This question already has answers here:
Java Play Encrypt Database Password
(2 answers)
Closed 7 years ago.
I have an application that talks to the database for which I have to load the credentials for the database connection from my application.conf. I would like to have my credentials, at least the password encrypted in the application.conf file. I was not able to find some good documentation on how this fits together with Play.
I mean I can use any encryption library, encrypt the password, store it to the application.conf and decrypt when I connect to the database. What I want to know is some suggestions on how this fits with Play framework. Is there some built-in plugin or something that I can use for encryption?
You shouldn't need to encrypt anything inside your own system. Just make sure your server is secure.
Since you will need to let your application access the password, an attacker who has access to your system would be able to get to your password anyway.
But never ever check your passwords into git (or subversion or whatever)!
Instead what you should do is this:
Add this line to your application.conf:
include "secret.conf"
Create the secret.conf in your conf-folder and save all your credentials in this file.
Add secret.conf to your .gitignore, so it doesn't go into your Git.
Manually add and update the secret.conf-file on your server.
If you are on a Linux-system it's also smart to control read access to the secret.conf-file like #Roman said:
Make sure only the user running play has rights to read that file.
Actually it would be useless to encrypt your db credentials. That way you must store somewhere a key to decrypt the credentials, which leads to exactly the same problem.
Instead you could store an application-prod.conf on your production server where you can overwrite application.conf properties. Make sure only the user running play has rights to read that file.
include "application"
db.default.password="yoursecret"
Then run your application:
/path/to/yourapp/bin/yourapp -Dconfig.file=/path/to/application-prod.conf
The same approach is used to protect the application secret. See https://www.playframework.com/documentation/2.4.x/ApplicationSecret and https://www.playframework.com/documentation/2.1.x/Configuration.
Related
I'm currently working on a password managing application in Meteor React and can't seem to find a way to encrypt and decrypt data on the client, with MmongoDB storing the encrypted data.
To add a little background to the task and specify what I am trying to do:
This whole application is for one single company and users are the employees only. The passwords, along with username info and some other attributes are stored in folders and users get view and edit rights to data within the folder. Passwords (along with additional info) need to be encrypted, but multiple users need to be able to access them based on the rights given to them. So when the data is encrypted, say when a person creates a password, other users with the rights to do so need to be able to decrypt this data as well. However, the decryption needs to happen on client and the server can only ever access the encrypted data.
I have tried using planifica:encryption, because it has exactly what we need for our project, but I ran into some errors and I can't get past them nor find any article about them. I have heard of Mylar in some answers to similar questions, but both Mylar and Planifica don't seem to have been updated for a few years now. I know Node.js has a crypto module, but I am not sure whether it could be used to share encrypted data among users and most importantly, how to do so.
Is there any way to do what we need for this project? I should also point out that I am relatively new to meteor and I have not dealt with encryption whatsoever, so my understanding is rather limited.
Thank you for reading!
This very much depends on the encryption you are using, but since you are interested in decrypting things client-side, it sounds like what you are looking for is the SubtleCrypto web api.
That should be all you need on top of what Meteor already provides. You should be able to use a regular meteor collection and publication to share the encrypted data with your clients, and then let them decrypt it using the above linked decrypt function. One question I'd have is how you will be able to get the decryption key to your clients while hiding it from the server, but I assume you've got that part figured out somehow.
I recently started using the Julia programming langauge and have had difficulty locating any package (or even, just, an explanation of best practice) to manage sensitive credentials, say, when connecting to a database or using various APIs.
One approach I've been using is to encode credentials into a .csv or .json file, then load the file in:
using CSV
credentials = CSV.read("C:/Users/jkix/credentials.csv")
username = credentials[:usr][1]
password = credentials[:pw][1]
The problem with this approach are obvious:
1. Julia prints the values of assignments to the screen by default, so even though the above code is portable and doesn't require any hard-coding of credentials, those credentials are visible to anyone who happens to look over your shoulder.
2. .csv and .json files store data in plaintext anyway
tl;dr: Is there a Julia package in existence for credential management?
I don't know of any package that does all the stuff. What I did, when I had to deal with it last time is encrypting the credentials (both in file and memory) using Nettle.jl and only decrypt right before accessing the service.
An alternative would be MbedTLS.jl or calling to your favorite library via run.
I have a winforms application that connects to a database with a connection string and a generic user
"Database=DBADAS;Server=TMT123\\SQLEXPRESS;User ID=user; Password=*****;
After connecting into the database with a login dialog, we check if the user and password are existent in the user table from the database.
My question is now if this is a good practice? because basically in the connection string there is every information needed to crack the server.
There are a few ways to go about this safely. Since it's a Winforms app and not a web application, most of your security risks involve someone already in your network peeking at the connection string. This adds a layer of security in and of itself.
1. Hardcoded
You can hardcode the connection string that fetches the users into a DLL and make your application depend on that DLL. I only suggest this because it sounds like the "generic user" password is permanent; otherwise, you'd have to recompile code every time you changed the password, then deploy again. This is very secure, however, as the value isn't stored in plain text.
2. App.Config
You can stick it in a configuration file. Within a secured network, this is probably the most versatile option, as you can store multiple strings and easily update them without updating the full application. This goes well alongside settings like a "DebugMode" setting, etc. Using App.Config or another XML file is ideal, but you can roll a quick and dirty .txt file, too.
3. Database
Probably the most secure way of all, as you can encrypt your database and code your programs to fetch their connection strings and login information from that database by using an unrelated login. This allows greater control over what can be reached by the application when a user has not yet logged in. It also prevents the software from operating outside of the network, which may be desirable.
4. Internal API
Having a separate application serve this data divorces user capability from your concerns, as the API and your app can exchange verification keys to see if your app even has permission to try to connect. This is my personal favorite, but obviously the most work to set up.
5. Registry Entry
Depending on how you have this installed, it may work well to embed the tokens you need in the Registry. This guarantees the app requires admin permissions to install, and allows you to use Windows security to restrict access to the hive.
Again, since it's an internal non-web app, I wouldn't worry too much about the plain text of the connectionstring; if someone has gotten this far into your network, chances are you have much bigger problems already. I wouldn't leave it floating as a plain text file in a local directory, but any degree of security above that is probably acceptable for your purposes.
Encrypting Web.Config
Open Command Prompt with Administrator privileges
At the CommandPrompt, enter:
cd C:\Windows\Microsoft.NET\Framework\v4.0.30319
In case your web Config is located in "D:\Articles\EncryptWebConfig" directory path, then enter the following to encrypt the ConnectionString:
ASPNET_REGIIS -pef "connectionStrings" "D:\Articles\EncryptWebConfig"
Use Aspnet_regiis.exe tool with the –pef option and specify the application path as shown above.
Note: The parameter "connectionStrings" is case sensitive.
For Winforms: You need to rename your app.config to web.config encrypt it by using steps 1 to 3 and again rename it to app.config.
Reference: https://www.codeproject.com/Tips/795135/Encrypt-ConnectionString-in-Web-Config
I'm working on a website in JSP (in GWT really, but on the server side, it's really just JSP), and I need to configure my database.
I know HOW to code in the database connection etc, but i'm wondering how/where the database config should be saved.
To clarify my doubt, let me give an example; in PHP, a website usualy has a config.php, where the user configures the database, user, etc (or an install.php generates it).
However, since JSP is bytecode, I can't code this info into my site and have the user modify it, nor can I modify it analogously to an install.php.
How should I handle this? what's the best/most common practice ? I've found NO examples of this. Mainly, where should the config file be stored?
There are several possibilities to do this, what I've seen done include:
Having database credentials in a special file, usually db.properties or some simple XML file that contain the required information (driver, url, username, password, any ORM parameters if needed). The properties file would be placed under WEB-INF or WEB-INF/classes; the downside of this approach is that the user would have to modify the file inside the WAR before deploying it to the application server.
Acquire the database connection via JNDI and expect it to be provided by the application server. This seems to be the most common way of doing this; on the upside, your WAR doesn't have to be changed, however, the downside is that configuring a JNDI data source is different for every application server and may be confusing if your system administrators are not experienced with Java technology.
Application: Building a small application for maintaining schedules of activity. It queries a MSSQL database. Storage for schedules is written to the MSSQL DB as well.
I've reviewed a large number of posts on stack overflow as well as googled extensively on securing the database.yml file. Maybe it's just me but I'm left with some major questions still.
1) Why exactly is storing my password in plain text in database.yml insecure? Is it because that method of storing password information is insecure in itself? Or is it because when publishing to a git repository you may inadvertently publish your database passwords in plain text?
2) If storing passwords in plain text under root/config/database.yml is insecure, why do I see a number of references to creating another yml file in the same directory to store the password? I see that some people are setting up a config.yml and creating global variables that can be used in database.yml. If this is more secure, why?
http://railscasts.com/episodes/85-yaml-configuration-file
My gut feeling is I'm missing some important knowledge on how to properly secure my database credentials. I'm really looking for an exhaustive explanation on what needs to be done to secure my credentials for sql.
Edit: I just wanted to update the context of this. I understand the need to encrypt passwords out of plain text - but I didn't understand why it seemed OK to store plain text password in other YML files.