How are credentials stored and encrypted in Nexus OSS 2.14? - nexus

I couldn’t finy anything in the documentation, knowledge base nor on the web on how credentials (local users) are stored by Nexus OSS 2.14.
The only hint was a release note of 2.5 about introducing salted hashes.
Where in the data dir are credentials saved? What algorithms are used to encrypt them?
I’m thankful for any hint.

Related

Encrypted environment variables in .net core app

In my .net core app (.net5), I'd like to store my environment variables values encrypted. This means I need to decrypt the values when loaded via EnvironmentVariablesConfigurationProvider. For example,
SET Product_SecretKeyEnc=#$SELOW#RLJLSKDFJ
In the product I'd like this realized as a configuration value "SecretKey" with a value of "DecryptedString"
So, I'd like to translate the key and the value during bootstrap.
This application is hosted in AWS Elastic Beanstalk which does not have integration with AWS Secrets Manager. AWS EB docs recommends storing configuration in environment variables. But I understand these are not secured. My intent in encrypting the environment variables is to prevent someone from getting a dump from being able to get anything useful.
Note: Andrew Lock does have a great blog post on using AWS Secrets Manager from .net core. But I thought the encrypted environment variables would suffice.
I agree with the commenter that you may be XY'ing this a bit, and that storing encrypted environment variables is not a good idea.
That said, if you persist, then what you need to do is implement your own provider derived from EnvironmentVariablesConfigurationProvider that knows how to identify which environment variables are encrypted and knows how to decrypt them.
You'd then add it to the set of configuration providers in the usual way.

Protect AES key used in R code

I have written an R package that connects to some services
requiring username and password.
I want to avoid typing my username and password
every time, so I have my package read them from a file
encrypted using AES (I use the digest package in a way similar to the answer to this question: How do I read an encrypted file from disk with R)
The AES key is generated when a user installs the package and it is used to encrypt and decrypt the users credentials.
This way the users only need to insert their credentials once at the moment
of installation and then do not need to write them in any place in the code.
However if somebody gets access to their laptop, it is very easy for him to
decrypt the credentials using the key generated by my package.
Is there any way I can protect the key (possibly in a cross-platform manner,
since the package has to be used in Windows, Linux and Mac)?
The best way to protect encryption keys are Hardware Security Modules like Thales PayShield / nCipher or SafeNet PSO / PSW / Luna, etc... The Key Encryption Keys (KEK) are stored on separate devices and in OS you just keeping cryptograms, keys encrypted under secret key to which you can not get any access (such devices are strongly secured from "intrusion"), The code to use such devices you can write on Java or Python for example, it will make your software OS independent. But it costs some money :)

Hashing database acess passwords in R scripts

I have some R scripts which rely on ODBC to retrieve data from a server database. Although this is shared within my team only, we wish to hash the database access password nevertheless. Greatly appreciated if fellow users could share best approaches for doing so. Thanks.
What you probably want is PKI: store the password as vector encrypted through PKI.encrypt, with a key shared between team members, and then prompt the user to decrypt it which requires the key only your team has - when the script first runs. R is sort of slim on encryption/decryption packages; you basically have PKI and digest which is asymetric, and that's it.

The Microsoft Crypto API (CAPI) in powerbuilder

I'm looking for examples information on how to extract certificate information from the windows certificate store and perform operations like verifying signatures using the retrieved certificates.The particular certificate will be provided via a USB token. Any help or pointers would be much appreciated, thanks.
There is a Cryto sample program available on Sybase code-exchange, it may require logging into the Sybase site and you'll need to migrate it to your current version of PB. The download location is:
http://downloads.sybase.com/codexchange/powerbuilder/923/PBCrypto.zip
Also, you can find some code samples of using Crypto API on a Windows machine here:
http://www.rgagnon.com/pbdetails/pb-0170.html

asp.net keystore for password storage?

I know that encrypted passwords can be stored in the web.config or hashed and salted passwords can be stored in a database, but is it possible to store passwords in something like a keystore?
Would a keystore even be a good idea to store 'service account' passwords that are needed by an application?
The closest analogue to a Java keystore in .NET/Windows world is DPAPI (http://en.wikipedia.org/wiki/Data_Protection_API). It stores encrypted values in the Windows registry, with the encryption key derived from system or user account level secrets.
It is in fairly wide use, though a paper was released at the 2010 Black Hat DC Conference detailing a crack against it (Google Docs).
Prior to that paper (and if MS fixes it at some point) I would highly recommend DPAPI for exactly what you are describing.
At this point, using DPAPI is probably (and unfortunately) the best option. A mitigating factor is that the crack is highly technical, difficult to execute, and requires quite a bit of OS access to pull off. A breach of a DPAPI key is most likely to be pulled off by a trusted insider with access to the system, as opposed to an external attacker.

Resources