Interesting suggestions, I'll look if I can find the solution you mentioned.
Thank your Ray. *Davide Malacrida* Il giorno giovedì 21 gennaio 2021 alle 19:48:12 UTC+1 Ray Bon ha scritto: > Davide, > > We use the cas config server (spring cloud config). It has tools to > encrypt secrets. > > I remember someone on the list had a different solution to what you are > asking but I can not find it at the moment nor remember what it was, but I > liked it. > > Some searching in the archives should find it. > > Ray > > > On Thu, 2021-01-21 at 07:54 -0800, Davide Malacrida wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > > Hello everyone, > > Lately we have been working on a locally deployed instance of Apereo CAS, > in order to study the product a bit. We have the following doubt regarding > how configuration files should be treated when deploying Apereo CAS in a > real production environment: > > In order to keep configuration files safe from being read and/or > manipulated by an external attacker, we have basically encrypted every > <key:value> pair with a symmetric key, which is shared with Apereo CAS > itself. With this solution Apereo CAS can still access the configuration > files when it starts, but if someone manages to get into the VM where the > product is installed, he won’t be able to do anything with the files > because they are encrypted. > > However, we have decided to take this route just because this particular > instance of the product is deployed locally and is used only for learning > purposes. I have read online that sometimes when deploying in a real > production environment, a good practice is to keep the configuration files > in an external encrypted DB. The product can than be configured to gather > these files from the external DB when it starts. I was wondering, is this > considered a best practice when it comes to Apereo CAS (and most > importantly, is this feature supported)? Also, are there any other best > practices which you would suggest to use with Apereo CAS when it comes to > protecting configuration files in real production environment? > > Thanks for your help, > > *Davide Malacrida* > > IAM Functional Analyst > > -- > > Ray Bon > Programmer Analyst > Development Services, University Systems > 2507218831 <(250)%20721-8831> | CLE 019 | [email protected] > > I respectfully acknowledge that my place of work is located within the > ancestral, traditional and unceded territory of the Songhees, Esquimalt and > WSÁNEĆ Nations. > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/64fdec68-3c70-4926-83f2-0c7dc0afd317n%40apereo.org.
