I am writing a python script which does some database operations. I have kept the database credentials in a config file and reading via RawConfigParser in python. So for securing database password, is there any way I can encrypt just the database password value in the config file and decrypt it after reading via ConfigParser. I saw using PyCrypto I can encrypt the entire file, but I want to encrypt just the password, because other fields are subjected to future changes.
Asked
Active
Viewed 1,740 times
0
-
It's not clear to me what your threat model is. Does the user of this script have access to this database? If so, can they simply use their own credentials? If not, what steps are you taking to ensure that they don't make use of this script to acquire privileges that they have not been granted? – Jon Kiparsky Apr 21 '16 at 05:50
-
@JonKiparsky The idea is if someone gets access to my properties file, he/she should not be able to get the db credentials. So if I can encrypt those fields with a binary key or a key which I can pass as an environment variable while executing the code, I think I should be good. Something similar to Jasypt in java. – ab_ Apr 21 '16 at 06:46
1 Answers
0
I get this question a lot when doing security consulting. No best practice, but it's all about managing the risk.
Storing credentials in user config file (e.g. ~/.secret or ~/.config) is a common practice. You can set file permission to 0600 so no other user (except superusers) can read it.
Or, you can pass the credentials in the environment. Best if you do it from remote connection (SSH), but you have to manually login and pass the variables every time you restart the application.
Also make sure the database user has very limited privilege.
Community
- 1
- 1
Jim Geovedi
- 321
- 3
- 8