On Saturday, October 08, 2011 10:51:26 AM, Sean Dague wrote: > On 10/08/2011 09:59 AM, Kristoffer Walker wrote: > > Anyone know of a Unix-y kind of file encryption tool that will allow > > me to encrypt, store, and un-encrypt/read back a file? Preferably, it > > would be great if I could stream the un-encrypted data from the > > encrypted file into another program running in memory rather than > > write it to disk in an intermediary step. > > > > My use case is to store DB admin credentials on remote web servers, > > without writing them into application source code, storing them in the > > database, or writing them in config files. I could stream credentials > > to remote servers through an SSH session, but multiple admins need to > > have this capability, and I don't want to hand out secret credentials > > to a dozen people who need the capability to re-deploy or re-start the > > remote applications which need these secret credentials. If all > > credentials were stored in a remote file, we could just have 2 or 3 > > people from our inner circle of trust who would keep the key to that > > file, and make sure they are never on the same airplane together :-) > > > > For example, locally, on the GUI I really like KeePassX for this > > purpose. I've also looked into EncFS which mounts an encrypted volume, > > but that seems heavy handed, and I'm always afraid of leaving the > > encrypted volume mounted if my deployment script fails before > > un-mounting it. > > I think you could probably get what you are asking for out of gpg on the > command line.
Hmm ... yes, sort of, except this would mean the credentials would be encrypted for several GPG keys, and this becomes messy if people are added or leave. > But any time I hear about shared secrets on remote machines, I get > twitchy, because shared secrets always get spread further than you > expect, and one breach, breaches all. Is there not a way to just bless > those user accounts with more privs? sudo can be quite granular, > including forcing only certain parameters to be used on certain > commands. Then if you have to oust someone, it's just about revoking > their account, vs. having to change the master password and securely get > it to everyone in the new ingroup. Using sudo sounds cleaner, as it allows for granularity, but this also won't do the trick, like if you need to enter in an SSL password to restart the web server, or the database password, etc -- and I think that's more about what the question is about trying to handle. The way I've personally seen this done is a physical "password book", but then you end up having to chase down who currently has the password book, and if there's only one then and it gets lost, that's trouble. It sounds like what you really want is some kind of "multiuser hierarchical password retrival system", where each admin has their own access password which will allow them limited access to the system passwords they've been currently been granted. I think I know WHAT you want, but in a quick search I'm not able to find a software package that does this. Part of why that might be is that in the quick search I did, what came up were patents on the idea :-/ (which for obvious reasons I didn't read). But other than that, my first thought is that this sounds like something you could theoretically build on a seperate protected relational database that had encrypted data for each user that was decrypted using the user's password. However this also sounds like it could be a bit of an administration headache for both the management of it as well as for the user, unless there was also some kind of convenient UI (whether text-based on GUI) for the front-end as well, which would need to be internally network accessible. -- Chris -- Chris Knadle [email protected] _______________________________________________ Mid-Hudson Valley Linux Users Group http://mhvlug.org http://mhvlug.org/cgi-bin/mailman/listinfo/mhvlug Upcoming Meetings (6pm - 8pm) MHVLS Auditorium Oct 5 - Distributed & Centralized Authentication Systems Nov 2 - POV-Ray and The Relativity Train Dec 7 - Chef
