-
Notifications
You must be signed in to change notification settings - Fork 57
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to encrypt password ? #106
Comments
Hello @kenhys Sorry for replying late, I thought this is a dead forum, wasn't expecting any reply over here, the environment is the last option to me but still, it is a security threat. Also one more issue I faced recently was if you specify a host like hostName/sqlInstanceName it doesn't work, in one server there is a possibility of having more than one server instances. |
Can we write some custom encryption logic inside |
Hello @repeatedly @kenhys @frsyuki @cosmo0920 @ashie @ganmacs Can you please help, this is such a big security loophole. |
@kenhys Do we have any working solution? This issue has been escalated so need some workaround ASAP. |
Generally speaking, encrypting the password here doesn't make sense. Writing plain text credentials in the config file isn't fluent-plugin-sql specific, most application use same way such as Rails applications. If you have a special reason that you are able to make the encryption meaningful, please describe it. |
@ashie Yes we do have to enter the password manually at every start of the Fluentd process, more than that, for us, no matter if it is a system password, DB password, or any other passwords, it can't be in plain text, that is our company security policy, we don't care about attackers right now or any other scenario you described, it just that it has to be encrypted, so I request you to please help me with a possible solution as soon as possible. |
Rails 5.2 or later supports encrypted credentials by We might be able to introduce similar feature if its really required by many users. |
@ashie Request you to please introduce that. |
I was under the impression this feature would be available, I started browsing for some syntax to enable encryption and unfortunately I didn't find anything so when I checked the code it was completely missing. I upvote for this feature, can we have in next version soon? |
I think we can use "config/credentials.yml.enc" of Rails for encrypted password, though looking for a solution, elastic cache and other plugins have the same feature but not for SQL and Oracle plugin. |
Hello @ashie |
We don't have actual plan for it yet. BTW I think your requirement can be realized without modifying both this plugin and Fluentd core.
#!/usr/bin/env ruby
require 'openssl'
require 'fileutils'
class MyCredential
PATH = ENV["MY_CREDENTIAL_PATH"] || "/etc/fluentd/credential.txt"
ENCRYPTED_PATH = PATH + ".enc"
KEY = ENV["MY_CREDENTIAL_KEY"]
SALT = ENV["MY_CREDENTIAL_SALT"] || "a9bab8f6-5db7-4693-81e8-93951d2c2468"
def self.encrypt
data = File.read(PATH)
enc = OpenSSL::Cipher.new("AES-256-CBC")
enc.encrypt
key_iv = OpenSSL::PKCS5.pbkdf2_hmac_sha1(KEY, SALT, 2000,
enc.key_len + enc.iv_len)
enc.key = key_iv[0, enc.key_len]
enc.iv = key_iv[enc.key_len, enc.iv_len]
encrypted_data = ""
encrypted_data << enc.update(data)
encrypted_data << enc.final
encrypted_data
end
def self.decrypt(field=nil)
data = File.read(ENCRYPTED_PATH)
dec = OpenSSL::Cipher.new("AES-256-CBC")
dec.decrypt
key_iv = OpenSSL::PKCS5.pbkdf2_hmac_sha1(KEY, SALT, 2000,
dec.key_len + dec.iv_len)
dec.key = key_iv[0, dec.key_len]
dec.iv = key_iv[dec.key_len, dec.iv_len]
decrypted_data = ""
decrypted_data << dec.update(data)
decrypted_data << dec.final
if field == :user
decrypted_data.split(/\R/)[0]
elsif field == :pass
decrypted_data.split(/\R/)[1]
else
decrypted_data
end
end
def self.encrypt_file
data = encrypt
File.open(ENCRYPTED_PATH, "wb") do |f|
f.write(data)
end
FileUtils.chmod(0660, ENCRYPTED_PATH)
FileUtils.rm_f(PATH)
end
def self.decrypt_file
data = decrypt
File.open(PATH, "wb") do |f|
f.write(data)
end
FileUtils.chmod(0660, PATH)
FileUtils.rm_f(ENCRYPTED_PATH)
end
end
if $0 == __FILE__
case ARGV[0]
when "encrypt"
MyCredential.encrypt_file
when "decrypt"
MyCredential.decrypt_file
else
puts "Unknown command: #{ARGV[0]}"
end
end
|
@ashie Thanks a lot for taking efforts and providing a solution, that worked for me. |
Hello @ashie username "#{require('C:/opt/td-agent/etc/td-agent/mycredential'); MyCredential.decrypt(:user)}" I have the above configuration in the .conf file When I run td-agent from the command prompt it works however when I run from Windows service, it doesn't work, any idea?? |
Although I don't try it by myself, if storing the master key to registry is acceptable for you, it seems that you can set environment variables for Fluentd service by registry.
|
Hi @ashie I missed to update, the above issue was resolved, ruby was expecting the path in forward slashes instead of backward, as if now I have kept the key in a static format, and I'm just running the command once "ruby /etc/fluentd/mycredential.rb encrypt" from Powershell in our custom build setup. Thanks for the suggestion for storing in registry however we are providing our custom setup to the customer where I don't think we can edit permission, even though we save in registry how to get it either in fluentd or ruby .rb file |
Hello @ashie We are going to use the latest version of td-agent & fluentd, so are you planning to add this feature? |
How to encrypt the password, because of security reasons we can't keep in a text file
The text was updated successfully, but these errors were encountered: