1

I need to store credentials for my app. I've read it's a very bad practice to store them with code.

I know, DPAPI is just made for it, but how to use it on Linux like Ubuntu? So - if I could make DPAPI work on Linux without spending whole day on it - it would be my first choice.

Then it's poor man's security - a file on target machine. So - not with the source ;) The file is in a directory only the admin can access, so it's as secure as the host itself. I can also have the file on my Windows development machine, it's as secure as my machine.

Tell me why the file is bad? ;)

Harry
  • 4,524
  • 4
  • 42
  • 81
  • Whose credentials are you storing? The user's? Why not store them in ~/.yourapp? The user has entered them, so they know what they are. Something that requires access to a server? Again, if they are user creds, then ~/. If they are server creds, then who is typing them in? Does your code require contact with a server? Then don't store the creds, store a token (with a timeout) that the server has given the client (based on their creds). – Neil Mar 05 '21 at 16:50
  • Both. Users and system. My service needs to access the DB, then it has to store users credentials they use for external services. I will store them encrypted in my DB, but again, I need the encryption key stored too. Both on my development machine and on target server. There's a deadline to just start the service, then it can be developed more properly, so I look for a quick way for now, yet not a total security horror. – Harry Mar 05 '21 at 17:08
  • Who are you protecting it against? The users or the FBI? Users probably don't care and FBI is probably not worth it. – Neil Mar 06 '21 at 09:45

1 Answers1

1

I need to store credentials for my app.

Mmmhmmm.

I've read it's a very bad practice to store them with code.

Not "with code", but in code: i.e. as string literals baked into your executable.

I know, DPAPI is just made for it

Yup.

but how to use it on Linux like Ubuntu?

With difficulty.

So - if I could make DPAPI work on Linux without spending whole day on it - it would be my first choice.

You can't. DPAPI is a Windows thang.

Then it's poor man's security - a file on target machine. So - not with the source

At least on Linux you can take advantage of the far simpler filesystem security model to secure files from access by other users without too much effort (i.e. chmod, compared to Windows where you need to faff around with DACLs (caveat: DACLs are still objectively far,far superior to chmod. Consider using SELinux to get DACLs outside of Windows).

The file is in a directory only the admin can access, so it's as secure as the host itself.

Debatable.

Tell me why the file is bad? ;)

I can't. You haven't told us anything about the file.

Better solution: take advantage of any available hardware TPM to store encryption keys: https://wiki.archlinux.org/index.php/Trusted_Platform_Module

Dai
  • 141,631
  • 28
  • 261
  • 374