Re: Storing credentials in a cross-platform binary file?

OP here: just to provide some additional info on the audit requirement.. As some mentioned, you cannot stop a determined hacker, and that's not necessarily the point of the requirement. The idea is you shouldn't just hand credentials to anyone walking by whether they need them or not. According to the requirement, you shouldn't have code in your script like this:

my $DBH = DBI->connect('dbi:mysql:host=server.example.com', 'dba', 'my
+dbapassword');
[download]

The idea is you store the credentials in an external file that never hits version control (many people don't think about passwords sitting there). The passwords in the external file are encrypted, so that should the file fall into the wrong hands (misconfigured web server, file symlinked into FTP root, etc) the passwords aren't easily obtainable. Likewise, if someone gains access to your source code repository they shouldn't be able to gain DB/LDAP/web service passwords from the code. Lastly, with passwords in a separate file you can be more pedantic about file-system ACLs to control access to the file, in addition to the other safeguards in place. So, ultimately it's a good requirement, I'm just surprised there's no existing CPAN module to implement it.

Thanks to all for your help! I think I will go down the road of serializing the credentials and encrypting the resulting file. Who knows, maybe I'll try to contribute my work to CPAN (with my company's approval) for others.

Comment on Re: Storing credentials in a cross-platform binary file? Download Code

Replies are listed 'Best First'.
Re^2: Storing credentials in a cross-platform binary file? by juster (Friar) on Sep 12, 2008 at 05:56 UTC
I think jdrago_999 hit the nail on the head and you may have missed it. I'm no cryptographic genius but you haven't mentioned the keys. Access to the "password file" is a moot point after passwords are encrypted... almost. I would encrypt each password with different keys so that the LDAP, web server, database password are encrypted with seperate keys. You could then limit access to the key files with ACLs. The scripts could only access the keys corresponding to the passwords they need. With this concept something as simple as a serialized hash could contain the encrypted password data. Then you would access whatever password you needed by name via hash element. You could use Crypt::CBC to encrypt/decrypt the cyphertext and use them in your scripts. The key here is (are?) the keys.	[reply]

Replies are listed 'Best First'.

Re^2: Storing credentials in a cross-platform binary file?
by juster (Friar) on Sep 12, 2008 at 05:56 UTC

I think jdrago_999 hit the nail on the head and you may have missed it. I'm no cryptographic genius but you haven't mentioned the keys. Access to the "password file" is a moot point after passwords are encrypted... almost.

I would encrypt each password with different keys so that the LDAP, web server, database password are encrypted with seperate keys. You could then limit access to the key files with ACLs. The scripts could only access the keys corresponding to the passwords they need.

With this concept something as simple as a serialized hash could contain the encrypted password data. Then you would access whatever password you needed by name via hash element. You could use Crypt::CBC to encrypt/decrypt the cyphertext and use them in your scripts.

The key here is (are?) the keys.

[reply]