encryption of username/password

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

encryption of username/password

odoisneau-2
is there an official answer to the need to encrypt username/passwords in the properties files?

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/mybatis-user/b18a2a80-05d0-4c55-9cf3-fd53d62c1aa8n%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: encryption of username/password

Grzegorz Solecki
There is no official answer to that.
Have a look at http://www.jasypt.org It should be failry easy to integrate.

On Friday, February 5, 2021 at 2:03:05 PM UTC-5 [hidden email] wrote:
is there an official answer to the need to encrypt username/passwords in the properties files?

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/mybatis-user/0dd65d52-1673-4b6f-8139-ec27c55bfeefn%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: encryption of username/password

Larry Meadors
The approach I use is to supply those values at runtime from the AWS SSM parameter store. That way, they are not in your code base at all.

I believe that there are similar storage options in GCP and Azure.

Larry


On Fri, Feb 5, 2021 at 1:22 PM Grzegorz Solecki <[hidden email]> wrote:
There is no official answer to that.
Have a look at http://www.jasypt.org It should be failry easy to integrate.

On Friday, February 5, 2021 at 2:03:05 PM UTC-5 [hidden email] wrote:
is there an official answer to the need to encrypt username/passwords in the properties files?

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/mybatis-user/0dd65d52-1673-4b6f-8139-ec27c55bfeefn%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/mybatis-user/CAFkMvDHuhtANCi%2BWDsR9sbWsen4rJnyD%2BYrRD3A2sH2fbqwP0Q%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: encryption of username/password

Grzegorz Solecki
The solution that Larry proposed puts you in the position that you need to manage certificates for a given type of environment and assume that your system (on-premise or cloud) is open to an outgoing connection to AWS SSM (security aspect).
Imho, such solution only brings benefits when you plan a big number of servers that will use AWS System Manager.

On Friday, February 5, 2021 at 5:27:48 PM UTC-5 [hidden email] wrote:
The approach I use is to supply those values at runtime from the AWS SSM parameter store. That way, they are not in your code base at all.

I believe that there are similar storage options in GCP and Azure.

Larry


On Fri, Feb 5, 2021 at 1:22 PM Grzegorz Solecki <[hidden email]> wrote:
There is no official answer to that.
Have a look at http://www.jasypt.org It should be failry easy to integrate.

On Friday, February 5, 2021 at 2:03:05 PM UTC-5 [hidden email] wrote:
is there an official answer to the need to encrypt username/passwords in the properties files?

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/mybatis-user/0dd65d52-1673-4b6f-8139-ec27c55bfeefn%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/mybatis-user/dd1fdcd5-9868-464e-bd68-136cc724366bn%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: encryption of username/password

Larry Meadors
Eh, "use AWS System Manager" is an overstatement - we use the parameter store alone, no other management components. Also, their parameter store manages all of the encryption and decryption for you - the implementation is pretty trivial.

If you're not running your stuff in a cloud environment, as you said, dealing with that on-prem would be a pain - but in that case, you should be able to secure your hardware in such a way that putting the credentials in a file is adequately secure. ¯\_(ツ)_/¯

Larry


On Fri, Feb 5, 2021 at 5:12 PM Grzegorz Solecki <[hidden email]> wrote:
The solution that Larry proposed puts you in the position that you need to manage certificates for a given type of environment and assume that your system (on-premise or cloud) is open to an outgoing connection to AWS SSM (security aspect).
Imho, such solution only brings benefits when you plan a big number of servers that will use AWS System Manager.

On Friday, February 5, 2021 at 5:27:48 PM UTC-5 [hidden email] wrote:
The approach I use is to supply those values at runtime from the AWS SSM parameter store. That way, they are not in your code base at all.

I believe that there are similar storage options in GCP and Azure.

Larry


On Fri, Feb 5, 2021 at 1:22 PM Grzegorz Solecki <[hidden email]> wrote:
There is no official answer to that.
Have a look at http://www.jasypt.org It should be failry easy to integrate.

On Friday, February 5, 2021 at 2:03:05 PM UTC-5 [hidden email] wrote:
is there an official answer to the need to encrypt username/passwords in the properties files?

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/mybatis-user/0dd65d52-1673-4b6f-8139-ec27c55bfeefn%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/mybatis-user/dd1fdcd5-9868-464e-bd68-136cc724366bn%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/mybatis-user/CAFkMvDGGc%2Bmi9CJXdk8b1%2BmOB8AAQFNDE%3Dw0hvbiCmQjxFuYcg%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: encryption of username/password

odoisneau-2
I am fine with using SSM so do you build your properties file dynamically with it?  Right now I have hard coded properties files. how do you integrate those files to use ssm?  Not sure how that works.  Do you temporarily write the files?

On Friday, February 5, 2021 at 9:59:54 PM UTC-5 [hidden email] wrote:
Eh, "use AWS System Manager" is an overstatement - we use the parameter store alone, no other management components. Also, their parameter store manages all of the encryption and decryption for you - the implementation is pretty trivial.

If you're not running your stuff in a cloud environment, as you said, dealing with that on-prem would be a pain - but in that case, you should be able to secure your hardware in such a way that putting the credentials in a file is adequately secure. ¯\_(ツ)_/¯

Larry


On Fri, Feb 5, 2021 at 5:12 PM Grzegorz Solecki <[hidden email]> wrote:
The solution that Larry proposed puts you in the position that you need to manage certificates for a given type of environment and assume that your system (on-premise or cloud) is open to an outgoing connection to AWS SSM (security aspect).
Imho, such solution only brings benefits when you plan a big number of servers that will use AWS System Manager.

On Friday, February 5, 2021 at 5:27:48 PM UTC-5 [hidden email] wrote:
The approach I use is to supply those values at runtime from the AWS SSM parameter store. That way, they are not in your code base at all.

I believe that there are similar storage options in GCP and Azure.

Larry


On Fri, Feb 5, 2021 at 1:22 PM Grzegorz Solecki <[hidden email]> wrote:
There is no official answer to that.
Have a look at http://www.jasypt.org It should be failry easy to integrate.

On Friday, February 5, 2021 at 2:03:05 PM UTC-5 [hidden email] wrote:
is there an official answer to the need to encrypt username/passwords in the properties files?

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/mybatis-user/0dd65d52-1673-4b6f-8139-ec27c55bfeefn%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/mybatis-user/3bda1eba-ed76-41d3-a5db-fdff1666b16an%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: encryption of username/password

Larry Meadors
The basic idea is that at startup, I look for a list of known names in the ssm parameter store and add them to the spring or guice container so they can be injected as needed - so it's not a mybatis problem that I was solving, it was a more general "how do i store and retrieve secrets" kind of problem.

The values never ever ever go into the source code or a file - only the names of them are in the app (generally as @Value annotations). At runtime, they are loaded from SSM and made available to the application. If the values change, a restart is required to reload then, but not a rebuild or redeployment.

I use a library I built to do it: https://github.com/lmeadors/jackson-env - it does more than just this, but there are some bits there that might be useful for you.

Larry


On Tue, Feb 9, 2021 at 8:31 AM '[hidden email]' via mybatis-user <[hidden email]> wrote:
I am fine with using SSM so do you build your properties file dynamically with it?  Right now I have hard coded properties files. how do you integrate those files to use ssm?  Not sure how that works.  Do you temporarily write the files?

On Friday, February 5, 2021 at 9:59:54 PM UTC-5 [hidden email] wrote:
Eh, "use AWS System Manager" is an overstatement - we use the parameter store alone, no other management components. Also, their parameter store manages all of the encryption and decryption for you - the implementation is pretty trivial.

If you're not running your stuff in a cloud environment, as you said, dealing with that on-prem would be a pain - but in that case, you should be able to secure your hardware in such a way that putting the credentials in a file is adequately secure. ¯\_(ツ)_/¯

Larry


On Fri, Feb 5, 2021 at 5:12 PM Grzegorz Solecki <[hidden email]> wrote:
The solution that Larry proposed puts you in the position that you need to manage certificates for a given type of environment and assume that your system (on-premise or cloud) is open to an outgoing connection to AWS SSM (security aspect).
Imho, such solution only brings benefits when you plan a big number of servers that will use AWS System Manager.

On Friday, February 5, 2021 at 5:27:48 PM UTC-5 [hidden email] wrote:
The approach I use is to supply those values at runtime from the AWS SSM parameter store. That way, they are not in your code base at all.

I believe that there are similar storage options in GCP and Azure.

Larry


On Fri, Feb 5, 2021 at 1:22 PM Grzegorz Solecki <[hidden email]> wrote:
There is no official answer to that.
Have a look at http://www.jasypt.org It should be failry easy to integrate.

On Friday, February 5, 2021 at 2:03:05 PM UTC-5 [hidden email] wrote:
is there an official answer to the need to encrypt username/passwords in the properties files?

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/mybatis-user/0dd65d52-1673-4b6f-8139-ec27c55bfeefn%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/mybatis-user/3bda1eba-ed76-41d3-a5db-fdff1666b16an%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/mybatis-user/CAFkMvDE-yRRXgfPWkPn28iQc6noS4BkP3xQDi6xY%2BZFMJ%3D42cA%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: encryption of username/password

odoisneau-2
i found 3.9 allows for th eMIGRATIONS_PASSWORD env. vars which is fine now I have issue with checkForMissingLineTerminator

 Cause: java.lang.RuntimeException: Line missing end-of-line terminator (;) => create function 


On Tuesday, February 9, 2021 at 1:17:24 PM UTC-5 [hidden email] wrote:
The basic idea is that at startup, I look for a list of known names in the ssm parameter store and add them to the spring or guice container so they can be injected as needed - so it's not a mybatis problem that I was solving, it was a more general "how do i store and retrieve secrets" kind of problem.

The values never ever ever go into the source code or a file - only the names of them are in the app (generally as @Value annotations). At runtime, they are loaded from SSM and made available to the application. If the values change, a restart is required to reload then, but not a rebuild or redeployment.

I use a library I built to do it: https://github.com/lmeadors/jackson-env - it does more than just this, but there are some bits there that might be useful for you.

Larry


On Tue, Feb 9, 2021 at 8:31 AM '[hidden email]' via mybatis-user <[hidden email]> wrote:
I am fine with using SSM so do you build your properties file dynamically with it?  Right now I have hard coded properties files. how do you integrate those files to use ssm?  Not sure how that works.  Do you temporarily write the files?

On Friday, February 5, 2021 at 9:59:54 PM UTC-5 [hidden email] wrote:
Eh, "use AWS System Manager" is an overstatement - we use the parameter store alone, no other management components. Also, their parameter store manages all of the encryption and decryption for you - the implementation is pretty trivial.

If you're not running your stuff in a cloud environment, as you said, dealing with that on-prem would be a pain - but in that case, you should be able to secure your hardware in such a way that putting the credentials in a file is adequately secure. ¯\_(ツ)_/¯

Larry


On Fri, Feb 5, 2021 at 5:12 PM Grzegorz Solecki <[hidden email]> wrote:
The solution that Larry proposed puts you in the position that you need to manage certificates for a given type of environment and assume that your system (on-premise or cloud) is open to an outgoing connection to AWS SSM (security aspect).
Imho, such solution only brings benefits when you plan a big number of servers that will use AWS System Manager.

On Friday, February 5, 2021 at 5:27:48 PM UTC-5 [hidden email] wrote:
The approach I use is to supply those values at runtime from the AWS SSM parameter store. That way, they are not in your code base at all.

I believe that there are similar storage options in GCP and Azure.

Larry


On Fri, Feb 5, 2021 at 1:22 PM Grzegorz Solecki <[hidden email]> wrote:
There is no official answer to that.
Have a look at http://www.jasypt.org It should be failry easy to integrate.

On Friday, February 5, 2021 at 2:03:05 PM UTC-5 [hidden email] wrote:
is there an official answer to the need to encrypt username/passwords in the properties files?

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/mybatis-user/0dd65d52-1673-4b6f-8139-ec27c55bfeefn%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/mybatis-user/b9e56f40-6484-490e-88c7-5a6a337e1a16n%40googlegroups.com.