We have Artifactory OSS that currently use the default DB and we want to move to MS-SQL. According to the regular links - we need to write the MSSQL password in clear text in the db.properties file.
Can the password be encrypted somehow, so the Artifactory will know how to decrypt and use it
You should be able to activate encryption using the REST API. See the documented API.
This should create an encryption key and apply it on the db.properties where the username and password are stored.
I hope this helps.
What I found was that after switching to MS-SQL and starting Artifactory- Artifactory has encrypted the password.
In the admin->Security->Security Configuration there is a section for Password encryption that you can choose to encrypt all password in configuration files
Related
According to the jetty docs: https://www.eclipse.org/jetty/documentation/jetty-10/operations-guide/index.html#og-password if the keystore is password protected, I need to define that password in a configuration property in start.ini . The problem I'm running into is that I'm building that config from a script as part of the deployment process. If I'm going to be storing the password in a script, I need some way to encrypt it, otherwise it defeats the purpose of having a password in the first place.
Does anyone know if this is possible? The best I could find is obfuscation (OBF) which isn't much better than plain text from a security perspective. If not, how do I keep the keystore password secure?
I am developing an application that'll decrypt encrypted files when a user successfully logs in. From what I understand, OpenSSL does not have a built-in function for this. So what I plan to do is zip up a folder and encrypt the zip file when I want to encrypt the directory and the reverse when I want to decrypt it. I will use the aes-256-cbc algorithm. The problem is, a user could change their password in my application, so the new password will generate different key and IV pair meaning that I can't decrypt the folder. Does anyone have any suggestions? Login credentials are verified on the server and encrypted zip files are located on the computer running the client application.
The problem is, a user could change their password in my application, so the new password will generate different key and IV pair meaning that I can't decrypt the folder.
The practice is not to use the user credentials to encrypt the data. If the user forgets his credentials, the user is done for.
Login credentials are verified on the server and encrypted zip files are located on the computer
That's actually giving you an option. If you don't want to store the encryption key on the client side, the server could send the key back as a part of the response and the client application could use it to decrypt or encrypt the data.
I have an ASP.NET Core 2.0 WebAPI application that has Db ConnectionString in appSettings.json.
While in development it has this value:
"DefaultConnection":"Server=localhost;Database=Tyroll;Trusted_Connection=True;MultipleActiveResultSets=true"
and only when we publish it to production we change this with appropriate passwords, by using VS 2017 publish profile.
So SQL server passwords for are not stored on repository and no problem there.
The file appsettings.json is protected by IIS
The question I wonder is should this password be somehow 'hidden' even on IIS?
One reason being additional security, so that SQL credentials are not in plain text in case of breach here.
Another for some authorization scenario where IIS admin should not have directly access to SQL server.
I figure it could be encrypted and the app itself will have key for decrypting it. This would not be 100% secure since in the case of breach on IIS even this key could be reverse engineered from the app, but it would make it more difficult then when it's there in plain text.
So first question is should I be doing this at all?
And second if 1.Q is Yes, what would be the best / recommended way to do it?
Is there some built in tool for this in .NetCore2 or VS2017 or IIS, or some other tool?
Here are some related links:
reddit aspnet_core_appsettingsjson_security_question
stackoverflow is-appsettings-json-protected-by-iis
itprotoday passwords-webconfig
keeping-secrets-in-asp-net-core
I would suggest that you should user Active Directory Integrated security for accessing the database , the App Pool can run under the user account and that particular user account will only have the required access to the database . This safeguards the user credentials in case of an attack since the password is never exposed.
Solution I implemented is making custom encryption of Password in ConnectionString.
But since the App needs to the decrypt it, it is more an Obfuscation.
For encryption I have used AES (using System.Security.Cryptography) and the key is stored: half in connectionString itself and other half hardCoded in the Application.
In addition regex was used to extract Password from ConnectionString and then was replaced with decrypted string of it.
I am trying to send an email using gmail smtp server. As the from address and password is needed for authentication, I have to set the same in web.config. And I wish the same to be in an encrypted format.
Ofcourse I am able to encrypt the values using' C:\Program Files (x86)\Ektron\CMS400v(x)\Utilities\ EncryptEmailPassword.exe' and so that I can set the values as encrypted form in Web.config file.
But how can I decrypt the values to its original form in code behind for the smtp server to authenticate.
I understand that you want to encrypt login and password stored in Web.config, best way to use it implemented in asp.net mechanism for that rather then Ektron.
Here you have an example how to do it on connectionstring but you can use any section to encrypt just change connectionstring parameter to something else.
http://msdn.microsoft.com/en-us/library/dtkwfdky.aspx
Short of de-compiling the Ektron code to obtain the keys, the encrypted text cannot be decrypted.
The Ektron encryption and app settings are for using the Ektron API to send emails. You don't need to decrypt because the Ektron library will do it for you.
As #Cezary states, one option is to not use Ektron email API and use ASP.Net.
I have a Windows batch file which runs periodically to update data on my MySQL database. I now want to make the batch file secure so that no-one can see the password used to connect to the database. I have thought of two potential solutions:
Encrypt the password in the batch file
Encrypt the entire file.
Id prefer to go with option 1. Is there a quick method to encrypt a password which can be used in a batch file?
Only encrypting the password just moves the problem to how you secure the decryption key.
If you're on NTFS you should secure the whole file instead. On the file properties encryption is accessed by the Advanced... button under Attributes, and access controls are on the Security tab.