Re: how to securely store parameters in config files
A common strategy in this sort of scenario is to have a config file containing the real keys installed in some shared location on your production servers. Then, you can generate Travis specific keys that you check into your repo. The idea is that if you ever fear the keys you use with Travis have leaked, you can quickly revoke them without any effect on your production machines. - Josh -- Joshua Ballanco ELC Technologies™ 1771 NW Pettygrove Street, Suite 140 Portland, OR, 97209 jballanco (mailto:jballa...@elctech.com)@elctech.com (mailto:kmil...@elctech.com) P +1 866.863.7365 F +1 877.658.6313 M +1 646.463.2673 T +90 533.085.5773 http://www.elctech.com (http://www.elctech.com/) On Friday, September 28, 2012 at 2:33 PM, Murtaza Husain wrote: Hi, I am using a config file to store passwords / keys for DB and connection to other services like AWS. I am using Travis CI for build, and running my tests, and then deploying it to live server. I would like to encrypt the variables in my config file and only the application should be able to read it. This is the criteria - 1) The application should be able to decrypt it in multiple environments, from the build server to multiple deployment servers. 2) The password used to decrypt the config file is not avalaible to the developers. Also are there any leiningen plugins / features that will aid in this ? Thanks, Murtaza -- You received this message because you are subscribed to the Google Groups Clojure group. To post to this group, send email to clojure@googlegroups.com (mailto:clojure@googlegroups.com) Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com (mailto:clojure+unsubscr...@googlegroups.com) For more options, visit this group at http://groups.google.com/group/clojure?hl=en -- You received this message because you are subscribed to the Google Groups Clojure group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en
Re: how to securely store parameters in config files
On Friday, 28 September 2012 17:03:14 UTC+5:30, Murtaza Husain wrote: Hi, I am using a config file to store passwords / keys for DB and connection to other services like AWS. I am using Travis CI for build, and running my tests, and then deploying it to live server. I would like to encrypt the variables in my config file and only the application should be able to read it. This is the criteria - 1) The application should be able to decrypt it in multiple environments, from the build server to multiple deployment servers. 2) The password used to decrypt the config file is not avalaible to the developers. Possibly a combination of techniques can help: 1. Maintain config as a map of profiles to corresponding env attributes in a .clj file. The sensitive attributes can be stored encrypted using the public key of the profile owner. 2. The current profile can be decided using a well-known system environment variable, e.g. APP_ENV 3. Have an app initializer (bootstrap.clj file) that initializes the app once at startup. The initialized env can be set using alter-var-root by the initializer. 4. The initializer should know in advance which keys are encrypted, and should decrypt them for only the relevant profile using the system user's private key. http://www.devco.net/archives/2006/02/13/public_-_private_key_encryption_using_openssl.php http://www.javamex.com/tutorials/cryptography/rsa_encryption_2.shtml (see the rsaEncrypt method; you can write a rsaDecrypt method similarly) Hope this helps. Shantanu -- You received this message because you are subscribed to the Google Groups Clojure group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en
how to securely store parameters in config files
Hi, I am using a config file to store passwords / keys for DB and connection to other services like AWS. I am using Travis CI for build, and running my tests, and then deploying it to live server. I would like to encrypt the variables in my config file and only the application should be able to read it. This is the criteria - 1) The application should be able to decrypt it in multiple environments, from the build server to multiple deployment servers. 2) The password used to decrypt the config file is not avalaible to the developers. Also are there any leiningen plugins / features that will aid in this ? Thanks, Murtaza -- You received this message because you are subscribed to the Google Groups Clojure group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en
Re: how to securely store parameters in config files
if you use a password to encrypt your config, you will need config2 for the password, and of course you do not want people to have access to config2, so you should encrypt that, and put the password in config3, and ... I recommend using lein test selectors to split out tests that hit external services in to a different class of tests, tests that don't require the credentials can be loaded and run by anyone, tests that do require a config file that is not checked in. On Fri, Sep 28, 2012 at 4:33 AM, Murtaza Husain murtaza.hus...@sevenolives.com wrote: Hi, I am using a config file to store passwords / keys for DB and connection to other services like AWS. I am using Travis CI for build, and running my tests, and then deploying it to live server. I would like to encrypt the variables in my config file and only the application should be able to read it. This is the criteria - 1) The application should be able to decrypt it in multiple environments, from the build server to multiple deployment servers. 2) The password used to decrypt the config file is not avalaible to the developers. Also are there any leiningen plugins / features that will aid in this ? Thanks, Murtaza -- You received this message because you are subscribed to the Google Groups Clojure group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en -- And what is good, Phaedrus, And what is not good— Need we ask anyone to tell us these things? -- You received this message because you are subscribed to the Google Groups Clojure group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en