On Wed, May 21, 2025 at 03:02:58PM +0300, Peter Pentchev <r...@ringlet.net> wrote:
> On Tue, May 20, 2025 at 10:10:06PM -0700, ToddAndMargo via perl6-users wrote: > > > > *From:* ToddAndMargo via perl6-users <perl6-us...@perl.org> > > > > *Sent:* Tuesday, May 20, 2025 5:29 AM > > > > *To:* perl6-users <perl6-us...@perl.org> > > > > *Subject:* how do I hide a variable from viewing > > > > Hi All, > > > > > > > > Fedora 41 (Linux) > > > > > > > > Since my *.raku can be publicly read, how do I obscure > > > > the contents of a variable so other can not read it? > > > > > > > > Currently what I have been doing is setting the file's > > > > ownership to root:root and the attributes to 700 so > > > > only root can see it. > > > > > > > > I would be nice to obscure a variable inside the > > > > program though. > > > > On 5/20/25 4:44 AM, Mark Devine wrote: > > > Todd, > > > > > > I got tired of having clear-text passwords and other sensitive strings > > > in my raku scripts, so I wrote KHPH for myself for use on Linux/UNIX, > > > then published it. The idea catches criticism because it isn't > > > encryption, but rather just a little obfuscation. Sometimes a little > > > obfuscation is warranted, imo. > > > > > > It takes a string, then mangles it into an unrecognizable scrambled > > > form, stashes it in a file, then can be recalled/unscrambled later. > > > > > > https://github.com/markldevine/raku-KHPH <https://github.com/ > > > markldevine/raku-KHPH> > > > <https://github.com/markldevine/raku-KHPH> > > > > > > markldevine/raku-KHPH: Keep Honest People Honest - GitHub <https:// > > > github.com/markldevine/raku-KHPH> > > > Keep Honest People Honest - String Obfuscation, Storage, & Retrieval - > > > markldevine/raku-KHPH > > > github.com > > > > > > Maybe you'll find it useful, but maybe only on Linux/UNIX. > > > > > > use KHPH; KHPH.new(:stash-path('/tmp/.myapp/password.khph')).expose.print; > > > > > > * > > > or - > > > > > > > > > use KHPH; > > > my $passowrd = KHPH.new(:stash-path($*HOME ~ '/.rakucache/myapp/ > > > password.khph')); > > > # $password.expose will unscramble the string, so you can substitute it > > > where you need to > > > > Hi Mark, > > > > I have written something similar. Without the seed and > > the start point, it is (although never say never) > > impossible to decrypt it. > > > > My issue is, unlike a fully compiled code, if a bad guy > > has access to my Raku code, which is necessary to run > > the program, he also has access to the seed and > > the start point, plus the encryption and decryption > > module. > > > > I was thinking maybe there is a way to only present the > > binary of my code, like a fully compiled code? Or maybe > > some way to obscure something inside my Raku code? > > > > Thank you for the help! > > The usual way to do this is to make the program read a configuration > file that contains any credentials necessary. Lately I've been > a big fan of the TOML format for config files, mostly because > the "standard" INI-style files are not standard at all, not even > under different versions of the same operating system :) > > But the general idea is: > - the program, on startup, looks for a configuration file in > a place where such things are kept (this part is OS-dependent, but > there are ways to do it more or less platform-independently; > I think for Raku the XDG::BaseDirectory module would help) > - the program reads the config file and exits if it doesn't contain > the necessary credentials (username, password, URLs, whatever) > - now it is the user's and the system administrator's responsibility > (as it should be) to protect that config file as much as it is > appropriate for that specific machine/installation > > Hope that helps! > > G'luck, > Peter > > -- > Peter Pentchev r...@ringlet.net r...@debian.org pe...@morpheusly.com > PGP key: https://www.ringlet.net/roam/roam.key.asc > Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13 For sensitive information, consider using something like Hashicorp's vault, or clevis (https://github.com/latchset/clevis), which both store secrets on another host, or pass (https://www.passwordstore.org), which is for storing passwords locally in separate gnupg-encrypted files. cheers, raf
