Davide, We use the cas config server (spring cloud config). It has tools to encrypt secrets.
I remember someone on the list had a different solution to what you are asking but I can not find it at the moment nor remember what it was, but I liked it. Some searching in the archives should find it. Ray On Thu, 2021-01-21 at 07:54 -0800, Davide Malacrida wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Hello everyone, Lately we have been working on a locally deployed instance of Apereo CAS, in order to study the product a bit. We have the following doubt regarding how configuration files should be treated when deploying Apereo CAS in a real production environment: In order to keep configuration files safe from being read and/or manipulated by an external attacker, we have basically encrypted every <key:value> pair with a symmetric key, which is shared with Apereo CAS itself. With this solution Apereo CAS can still access the configuration files when it starts, but if someone manages to get into the VM where the product is installed, he won’t be able to do anything with the files because they are encrypted. However, we have decided to take this route just because this particular instance of the product is deployed locally and is used only for learning purposes. I have read online that sometimes when deploying in a real production environment, a good practice is to keep the configuration files in an external encrypted DB. The product can than be configured to gather these files from the external DB when it starts. I was wondering, is this considered a best practice when it comes to Apereo CAS (and most importantly, is this feature supported)? Also, are there any other best practices which you would suggest to use with Apereo CAS when it comes to protecting configuration files in real production environment? Thanks for your help, Davide Malacrida IAM Functional Analyst -- Ray Bon Programmer Analyst Development Services, University Systems 2507218831 | CLE 019 | [email protected]<mailto:[email protected]> I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/0a59fb6e6e2e987b43bcb5cb533dfeb58d08971e.camel%40uvic.ca.
