On Tue, Apr 23, 2019 at 09:56:48AM -0700, Ramón Cordeiro wrote: > How can I hidden the credentials inside dspace.cfg. These data are in plain > text and I worry about hacker atack. > > Is there a way to encryp or hidden these data in the same time the dspace > work without problem ?
No. This is a general problem, not restricted to DSpace. If the credentials in the DSpace configuration were encrypted, DSpace could not start without the decryption key, which would have to be stored on the system in plain text. No closed system can be fully protected by secrets. It must hold at least one unprotected secret or it cannot fully start. That one unprotected secret could be used by an intruder to get the other secrets. The only way around this that I know of is to open the system: require an operator to provide the key at startup. How to do that would be very dependent on the local operating environment and policies. Here we use normal filesystem permissions to restrict access to the DSpace configuration from console users; use the DBMS' access controls to limit which remote hosts can connect to the database; and do not expose remote console access on a public address. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu -- All messages to this mailing list should adhere to the DuraSpace Code of Conduct: https://duraspace.org/about/policies/code-of-conduct/ --- You received this message because you are subscribed to the Google Groups "DSpace Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/dspace-community. For more options, visit https://groups.google.com/d/optout.
signature.asc
Description: PGP signature
