Funny this would end up on a discussion on Rails. We have clients on other products asking to encrypt the passwords and encrypt this and that (funny also they are gov. bodies too).
The explanation about securing the server and restricting access to the file did not resolve the question. What did resolve the question was: - encryption the information with the private portion of a PPK (public/ private key). - use a smartcard installed on the server with the public portion of the PPK This approach does not resolve physical access to the computer but it does limit the accessibility to the data. It does not resolve the following: 1. the party takes control of the machine where the smartcard is connected (if you can control the machine it is very likely you can access the information on the smartcard). 2. your facility is invaded and the smartcard is stolen. -------- Personally I think there is way too much attention given to encryption as a mean to secure stored information... you always need to provide a mean to retrieve it which makes it insecure if that mean is compromised. My personal preference on that level is to: 1. ensure is visible only to users who should see it (can be done with file/network security... no need for encryption there). 2. ensure that the file is access only by processes/users who are authorized to view that information (can be done with monitoring tools to trigger an alert.... if your machine or file has been compromised you got bigger problems than a single password in a file). 3. frequently change the credential information (this will reduce the value of the information it is compromised) 4. monitor the services (i.e. database, web, file system, connections) and look for suspicious activity Lastly, it is important to keep in mind that security is a question of layers... the more you have the better chances you have of not being compromised... Jean-Marc http://m2i3.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
