Re: [Pharo-users] Encoding Login information in your image (safely)

2017-08-18 Thread Pierce Ng
On Wed, Aug 16, 2017 at 02:24:15PM -0300, Esteban A. Maringolo wrote: > My solution in the cases where I was worried about a config file leak > was to mitigate the risk, by using symmetric encryption algorithms, > where the shared secret is split in two different strings and > concatenated at

Re: [Pharo-users] Encoding Login information in your image (safely)

2017-08-17 Thread Dimitris Chloupis
I am clueless when it comes to encryption and safety , so as you would expect I will offer my opinion on this. I do not think that encryption from the side of Pharo would be a good idea because having the image you have access to everything . Including any kind of context even its not stored in a

Re: [Pharo-users] Encoding Login information in your image (safely)

2017-08-16 Thread Tim Mackinnon
Todd, i think you are right, I can't get around it - I need to pass something from my live environment (where it's kept encrypted) into my image. I can however potentially simplify the setup by passing a single key that I can use to unlock a PasswordVault in my image and it can have multiple

Re: [Pharo-users] Encoding Login information in your image (safely)

2017-08-16 Thread Todd Blanchard
I do a lot of deployments on AWS elastic beanstalks. I put the credentials into environment variables on the beanstalk. When running locally, the credentials are in the environment on my machine. > On Aug 16, 2017, at 9:55 AM, Tim Mackinnon wrote: > > Hi - I’m struggling to

Re: [Pharo-users] Encoding Login information in your image (safely)

2017-08-16 Thread Richard Sargent
Apologies for top quoting; there isn't any single place which seemed appropriate. A colleague of mine who worked for a Swiss bank (they take security seriously) addressed this by NOT keeping the credentials in the image. 1. Set up a distinct user intended solely for running the application. 2.

Re: [Pharo-users] Encoding Login information in your image (safely)

2017-08-16 Thread Esteban A. Maringolo
2017-08-16 13:55 GMT-03:00 Tim Mackinnon : > ./pharo Pharo.image eval "(ByteString allInstances)” > > I think you would ulimtately find those strings unless the Class encrypts > them in some way right? > > So I’m wondering why we don’t have an EncryptedString object for just this

[Pharo-users] Encoding Login information in your image (safely)

2017-08-16 Thread Tim Mackinnon
Hi - I’m struggling to find something that I saw that discussed this issue kind of. In my image (its actually a headless one - but this could apply to a fat image too) - I build an application that needs access to a service (in this case an S3 bucket). The AWS library I’m using (but others