So I have some passwords stored in POM file under profiles and I want them to be hidden or encrypted. Is there any way I can do this without maven encryption.
Related
This post is somewhat similar to the link below. Unfortunately, I do not have enough reputation to ask a question there, so I am asking it here.
Confused on what is the correct procedure on storing passwords in Web.config for Azure deployment
The post above seems to work well if you are deploying to Azure because Azure provides a UI for you to store sensitive data, such as; passwords and keys. Thus, negating the need for an external file. However, if I am not deploying to Azure, then this functionality is assumed to not be available via other web hosting companies and so that answer does not apply.
My question is this, what is the best way to protect sensitive data both from being transmitted over the internet and from malicious users who manage to get the *.config file containing the sensitive data? Some ideas that I have though of are below.
1.) Place the sensitive data in an external file (AppSettingsSecrets.config) that is two folders up on the directory tree?
2.) Place the sensitive data in an external file (AppSettingsSecrets.config) that is in the same project, but set the file's build action to None?
3.) Place the sensitive data in the web.config file, but encrypt the section of the file that contains the sensitive data?
The reason for securing sensitive data within the *.config file itself is that in the event a malicious user manages to get the file containing the sensitive data they will be prevented from reading the sensitive data. All three options only seem to address the first question (preventing sensitive data data from being transmitted over the internet), but option 3 only seems to also address preventing malicious users who get the *.config file from reading the sensitive contents. If that is the case, then it seems like all three options are moot with respect to what file to put the sensitive data and where that file is located; just encrypt the portion of the web.config file that contains the sensitive data and move on. Am I missing something?
I created two handy batch files that encrypt and decrypt the appSettings and connectionStrings sections of the web.config file:
EncryptWebConfig.bat
#ECHO OFF
REM ENCRYPT THE CONTENTS CONTAINED IN THE appSettings SECTON OF THE WEB.CONFIG FILE
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis -pef "appSettings" "Folder path to web.config"
REM ENCRYPT THE CONTENTS CONTAINED IN THE connectionStrings SECTON OF THE WEB.CONFIG FILE
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis -pef "connectionStrings" "Folder path to web.config"
REM PAUSE FOR VERIFICATION ON THE SCREEN OF WHAT HAPPENED.
PAUSE
#ECHO ON
DecryptWebConfig.bat
#ECHO OFF
REM DECRYPT THE CONTENTS CONTAINED IN THE appSettings SECTON OF THE WEB.CONFIG FILE
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis -pdf "appSettings" "Folder path to web.config"
REM DECRYPT THE CONTENTS CONTAINED IN THE connectionStrings SECTON OF THE WEB.CONFIG FILE
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis -pdf "connectionStrings" "Folder path to web.config"
REM PAUSE FOR VERIFICATION ON THE SCREEN OF WHAT HAPPENED.
PAUSE
#ECHO ON
I will try to give my suggestion which was already mentioned by you. The most secure way is do not put sensitive data in web config as much as possible and if their's really a need you MUST encrypt it using this method which is option 3 and move on!
Hold on, move on to what? You must move on to other security aspect of your application. Securing web config section doesn't guaratee full protection. You must harden your server, secure communication, pentesting or conduct online vulnerability test and even source code scanning. It may sounds overkill and rediculus but if you really want to mitigate security issues those I mentioned is a must. I say mitigate because now a days you and me are not secure any more! Not unless you are not connected to the internet. :)
Update : These are the tools that may help you. Some are free and some are not. It's not limited only to this
OWASP - for pentesting (free)
Nessus - for system hardening (enterprise)
CIS CAT - tech stack like OS, Database, WebServer etc. (membership only)
IBM AppScan - for source code scanning (enterprise)
If you don't want to bother doing on your own, you can delegate this security testing in third party like whitehatsec.
Alright, that's all that I have. I'm out! :)
Why is the /app/config/parameters.yml file in symfony/symfony-standard .gitignore file? I thought the live (prod) settings of a project are defined in this file.
Yes, settings are defined in that file but it's added to .gitignore file because you don't want to store things like database password or csrf token in version control system as this is data which should be kept secret.
You have parameters.yml.dist file which is meant to keep placeholders for such data and running composer install will check if all data defined in parameters.yml.dist is present in parameters.yml. If not it will as you to provide it.
Check best practices for more info
I've had a very frustrating experience on putting an MVC 5 app on Azure. I have been reading the following page: http://www.asp.net/identity/overview/features-api/best-practices-for-deploying-passwords-and-other-sensitive-data-to-aspnet-and-azure
But what I haven't managed to put in my head is the following:
Security Warning: Do not add your secrets .config file to your project or check it into source control. By default, Visual Studio sets the Build Action to Content, which means the file is deployed. For more information see Why don't all of the files in my project folder get deployed? Although you can use any extension for the secrets .config file, it's best to keep it .config, as config files are not served by IIS. Notice also that the AppSettingsSecrets.config file is two directory levels up from the web.config file, so it's completely out of the solution directory. By moving the file out of the solution directory, "git add *" won't add it to your repository.
And:
Security Warning: Unlike the AppSettingsSecrets.config file, the external connection strings file must be in the same directory as the root web.config file, so you'll have to take precautions to ensure you don't check it into your source repository.
The problem is the following: When I upload the Web.config file with the external files without being included I get hit by "The System cannot find the file specified", so for it to go away I must include the .config files defeating the purpose of Microsoft's post.
I really really really do not understand. I have added the connectionStrings and appSetting's keys in Azure's portal. What is the correct and secured way of putting my passwords and secrets online? What am I missing? Is it because I'm running in Debug mode?
According to this:
How can I secure passwords stored inside web.config?
There is nothing to worry about accessing the Web.config file...
But that just defies Microsoft's post.
Thanks.
I find the following technique to be the easiest way to do this.
Instead of putting the deployment values of these settings into the web.config, I keep the test values in there instead. I then put the deployment values into the Application Settings section of the Azure Website via the Azure Portal:
When the website runs, these settings will take precedence over what is in the web.config. This helps me avoid externalized files, allows me to keep sane development configuration that the team can share, and makes deployment very easy.
The best way is to set your secrets in the Connection Strings section of the portal. Any values set there will override values you specify in your web.config file.
This way they are only exposed to people who have admin access over the site itself. Having full access to the source won't even be enough to get the secret values.
More details here
I encrypted some files in order to hide them, but I didn't know about it much and didn't do things right I guess. (from 'advanced' option i.e. beside the hidden attribute in properties)
So now I cant access these files as they show: I don't have permissions to access them.
I tried to import certificates from 'personal' store in 'crtmgr.msc' to that folder where these files belong. But failed (a pfx file was generated/exported and I imported it again too).
P.S: And one more thing, I had to reset my windows 8.1 after I encrypted them once. Hope someone from here can definitely help me if possible. Thanks.
My aim is to make the web.config not readable by external users, but my application should be able to access it. Is there any way to do this?
I have tried the following way, but how to set the application to use string instead of web.config?
I want to encrypt my web.config file so that others do not open the file using any editor like notepad. But my application should be able to use the same web.config file. I could encrypt the web.config file and decrypt it inside the application and I saved the entire web.config to a string file. Now I want to use this string variable instead of web.config(now in encrypted form, which cannot be accessed by the application).
There's an inbuilt mechanism for doing this, please see the tutorial:
http://weblogs.asp.net/scottgu/archive/2006/01/09/434893.aspx
Use the Aspnet_regiis.exe utility to do this.