If a system generates password and keys per host and copies (there are approx 50 hosts with differnt passwords) them to specified location on each host
i.e. on host host1
/a/b/c/xyj_host1.p12
/a/b/c/xyj_host1.p12.pwd
In server.properties file of kafka I want to specify file location instead plain password for kafka (reason: I deploy on those 50+ servers using Ansible and its security hole if I have to specify password at the time of deployment)
ssl.truststore.location=/a/b/c/xyj_host1.p12
# instead of passoword I want to specify the file which contains password
ssl.truststore.password=/a/b/c/xyj_host1.p12.pwd
How can I make above happen ?
Kafka Connect can externalize secrets to files, but the brokers cannot
If you want to protect secrets in Ansible, then Ansible Vault seems to be the solution there, as far as the broker goes, restrict the file permissions to the server properties
There are other solutions still that could combine Hashicorp Vault with a templated property file (consul-template), but you'd still have a plaintext Vault token floating around, so really depends on how much you want to obfuscate your security
Related
Is there anyway that we can give security measures for nifi, like any username and password for the nifi UI page. And also anyway to give storage for the configuration made in the NIFI UI page.
Need some suggestion on this issue.
All user authentication and authorization mechanisms are only available once TLS is enabled. This was an intentional design decision because entering sensitive user credentials over a plaintext HTTP connection is unsafe and exposes the user to many opportunities to have those credentials, which unfortunately they may reuse for other services, stolen.
After enabling TLS for the NiFi application, LDAP, Kerberos, OpenID Connect, Knox, and client certificates are all available as authentication mechanisms.
With the default settings you can point a web browser at
https://127.0.0.1:8443/nifi
The default installation generates a random username and password, writing the generated values to the application log. The application log is located in logs/nifi-app.log under the installation directory. The log file will contain lines with Generated Username [USERNAME] and Generated Password [PASSWORD] indicating the credentials needed for access. Search the application log for those lines and record the generated values in a secure location.
The following command can be used to change the username and password:
$ ./bin/nifi.sh set-single-user-credentials <username> <password>
I am trying to implement 2FA for logins on my ubuntu machine to increase security alongside with an encrypted home folder. I've opted to use the google authenticator pam module as this also works offline. I've followed the documentation on google's GitHub repository https://github.com/google/google-authenticator/blob/f2db05c52884e4d6c3894f5fd2cf10f0f686aec2/libpam/README.md but it seems to me that you can easily by-pass the MFA as:
the settings are saved in a .google_authenticator file
the settings file contains your secret key that you can use to add the account to the google authenticator app to receive OTP tokens
the .google_authenticator file must sit outside of your encrypted folder as otherwise you can't login
therefore if you boot directly into a root shell (recovery). You can get the secret key from the file and thus bypass the second factor.
Therefore I have the following questions:
am I missing something in the google authenticator set-up?
are there any other solutions that would work offline and can not be so easily bypassed?
therefore if you boot directly into a root shell (recovery)
There is a reason for that, and the reason is as you mentioned above -> recovery.
So, you are not missing anything, except the scope of 2FA: yes it can be bypassed if you have direct access to the server, but it secures remote access (SSH) perfectly fine. Unfortunately there is no way to disallow that.
Due to PA-DSS compliance, we are not allowed to have clear text passwords in configuration files, even if we control who is allowed to access the file.
I've checked WildFly's documentation, but could only find information about protecting the database's password via org.picketbox.datasource.security.SecureIdentityLoginModule. Is there a way to do this on WildFly? Both WebSphere and GlassFish provide a way to do this, so I guess WildFly might have a way too.
You can create a vault and encrypt the password with valutTool. Then refer to the password stored in vault with the preset variable e.g.
<module-option name="bindCredential" value="${VAULT::MYLDAP::PASSWORD::1}"/>
https://developer.jboss.org/wiki/MaskingPasswordsForWildFlyUsingNon-interactiveVaultTool
When I use the appcmd list appool <ApplicationPoolName> /text:* command, it shows me the application pool identity passwords in clear text. I am able to view the passwords in clear text using Get-WMIObject in PowerShell as well. This can be a serious security threat as a user with correct access credentials can easily view the passwords.
The Application Pool in IIS (v7.5) is configured using domain user account/password. In the applicationHost.config file, the password is encrypted using IISWASOnlyAesProvider encryption provider. Still, the password is shown in clear-text when I use any of the above two methods.
Is there any way to encrypt passwords in such a way that they are not shown in clear-text when I use the above two methods?
Unless something has changed, the answer is no. The principal is best stated by Raymond Chen:
'It's like saying that somebody's home windows are insecure because a burglar could get into the house by merely unlocking and opening the windows from the inside. (But if the burglar has to get inside in order to unlock the windows...)'.
The point in summary, is that anyone that can get to your IIS server or can execute a WMI command remotely against your server, or can execute a powershell command against your server has access.
They are assumed to be admins, and are assumed to be trusted, as occassionally admins would need to pull passwords for recovery purposes, or adding nodes to a shared pool if proper notes or password management wasn't done [mainly needed when doing basic authentication on a domain cluster needing shared passwords].
The passwords are only decrypted if you run appcmd as Administrator. If you run as a normal account, you get back the encrypted string.
This will be something like [enc:IISSomethingProvider:…:enc], just as you find it in applicationHost.config.
Consider the following image that shows the encryption hierarchy used in SQL Server. Please note the first blue block, that says the SMK is encrypted using DPAPI. The DPAPI uses a currently logged-in user credentials (+ more) to encrypt data, so it's machine-specific. This means that SMK (as well as DMK and any derived password) will be machine-specific (actually it's generated by SQL Server's setup). OTOH, I can create/backup an X.509 certificate in SQL Server (using CREATE CERTIFICATE, BACKUP CERTIFICATE and so on).
The scenario/question:
I'm developing a Web App that needs to encrypt and store CC information in a database column. I need to access those data, later on another machine so the db backup should be actually readable when restored on another machine (albeit, for someone who has got access to the above-mentioned certificate).
I'm wondering how am I supposed to restore a backup on another machine when the SMK is specific to the current instance of SQL Server? What should I do to access those encrypted data once they are restored on another machine?
UPDATE: Correct me if I am wrong!
We could use the BACKUP SERVICE MASTER KEY TO FILE command to back the currently used SMK. This key, however, can be restored on any other SQLServer (on/out of the same machine) using the RESTORE SERVICE MASTER KEY FROM FILE command. When the SMK is restored, it's being encrypted once again using DPAPI so that the key itself can be stored somewhere on the machine.
Any help would be highly appreciated,
The diagram shows that a certificate can be protected either by the DMK or via a password. If you protect it with just a password, it should be portable.