Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How to design an encrypted file with this ? #57

Open
gedw99 opened this issue Jan 23, 2021 · 2 comments
Open

How to design an encrypted file with this ? #57

gedw99 opened this issue Jan 23, 2021 · 2 comments

Comments

@gedw99
Copy link

gedw99 commented Jan 23, 2021

I have a configuration file that holds many details that my app uses for various purposes such a SMTP password, db encryption token, etc. That configuration file is encrypted against a password using some golang code i wrote. Lets call it the "Config password"

Context and Intent:
This is a linux server in a data center with highly sensitive information stored on it.
The intent here is that if someone gets remote or physical access to the machine they cannot decrypt the configuration data stored in the config file.
Currently i store the password to decrypt the configuration file in Systemd file, and so anyone that gets physical access can find it.

How can i make it so that only that app can access the "Config password" that i stored into the TPM / KeyRing ?
The only way i can see this working is if the ServiceName and UserName is stored in the golang binary. It would then know the args to pass into go-keyring to retrieve the "Config password".

I feel like there is something i am missing as any attacker can decompile the golang binary and find the ServiceName and UserName.

@gedw99 gedw99 changed the title How to design a binary to access it on startup How to design an encrypted file with this ? Jan 23, 2021
@mikkeloscar
Copy link
Member

I don't think this is something this project is useful for. It's based on the system keyrings where the use case is the user of the machine knows the keyring password and thereby can unlock whatever is stored there. If you can't provide the keyring password temporarily from "outside" then this doesn't protect anything.

@merusso
Copy link

merusso commented Oct 10, 2022

Storing a symmetric encryption key in the keyring should be more secure than storing it in a file. It would be better secured against physical access as the keyring's contents are encrypted at rest.

The service and user values aren't meant to be sensitive. They can be set as plaintext config values passed to your app. The password is sensitive and should only be stored in the keyring.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants