According to OpenAM-12.0.0-Install-Guide, User can set up openAM by using command "java -jar openam-configurator-tool-12.0.0.jar --file config.properties".There are many key-value pairs in config.properties. But the value of AM_ENC_KEY attribute is NULL. How can I get a random AM_ENC_KEY value? And what does this key encrypt?
If you leave the AM_ENC_KEY value empty in the configuration file, then a random key will be generated for you.
The encryption key is used to encrypt most of the passwords stored within the OpenAM configuration (things like passwords for the data stores, LDAP servers you authenticate against, etc).
Related
I've been reading the little documentation Elastic provides, but it is just about how to operate it. And I don't really understand the fundamentals of it.
You initialise the keystore with a password: bin/elasticsearch-keystore passwd
You add a key-value to it bin/elasticsearch-keystore add mySecret (prompts for secret)
You refer to the key inside elasticsearch.yml i.e. ${mySecret}
Start Elasticsearch, and the value is magically extracted and replaced from the keystore.
My doubt is: how does Elasticsearch get the password to decrypt the keystore and use the values in the configuration file? Or is the keystore password stored somewhere?
If yes, where? In this case I don't see the benefit of using keystore at all?
#sscarduzio
place your password in ansible yml file, protect the yml file with ansible-vault, this way you only have to remember and type only the vault password for all the keystores and sensitive passwords
with some further tricks depensing on your setup you can automate further and supply vault password with automation
I have a web app that uses known username and password combinations to login to external servers. There are multiple username/password combinations used for different services. Right now, they are essentially "hard-coded" into the website code, but, I would like to move this information off the code base for better security.
My initial thought is to store this data in the database which is used to support the website. I want to store it in a way that it is not easily "hackable" (i.e. I'm not going to store it as plain text or as a MD5 hash). Should I follow the same format that I use to store the website user's passwords, where I use a random number generator to create SALT for each password and then store the password as hashed combination of the password and SALT, or would this be overkill?
Generally, storing passwords in the application code is always a bad idea. Moving it outside the code has many advantages including security.
Now storing it either in DB or Configuration Files is a choice you have to take depending on your application.
For full security you should never store passwords in retrievable form. But to login to a external server as in your case, you need to get the actual plain text password, so one way hash will not work for you.
In our product we deal with such situation by using 2 Way SSL Certificates. It is very secure and there is no need to store the passwords.
But if you really need to store the passwords, then I will suggest to use configuration file and let your application read it. You can encrypt the passwords stored in the configuration files (Encrypting the passwords stored in the configuration file will again bring you back to the same question of how to protect the key). The access to the configuration file should be restricted (in Unix, 600 File Permission).
Alternatively, if your web application is Java, then you can consider using JNDI.
After more research, I've decided at this point to follow the ideas here:
Encrypt a Column of Data - SQL Server | Microsoft Docs
...and encrypt/decrypt on the DB inside a Stored Procedure.
I've been looking at implementing JWT for the first time using jsonwebtoken (https://github.com/auth0/node-jsonwebtoken). For that, I need a secret value.
Is there a recommended command, or site, to generate a sufficiently good one?
I found this page (https://security.stackexchange.com/questions/95972/what-are-requirements-for-hmac-secret-key) which goes into detail about how long a secret should be (the answer seems to be a 256-bit), but where do you get one from? :)
Else it seems the other option would be to use a public/private key pair. They seem to prefer that approach on this guide I found: https://medium.com/#siddharthac6/json-web-token-jwt-the-right-way-of-implementing-with-node-js-65b8915d550e since that guy says he started off using a string and then switched to using a key pair. However the complication is this will be running on Lambda so I would ideally like the secrets (string or key) to be in environment variables. Not kept as files. But if you put a certificate in an environment variable, I wonder if AWS will strip out newlines and so screw it up when Node tries to work with it. So I'm thinking a secret string would be simpler - as long as it is sufficiently strong.
Thanks!
This is what I did when implementing HapiJS with JWT2. I generated a key based on the documentation they provided. According to their repo, this is one of the simplest ways to generate a secure key to sign against for JWT.
node -e "console.log(require('crypto').randomBytes(256).toString('base64'));"
I don't think you have to use asymmetric key authentication with public/private keys for JWT. In simplest forms, when a user logs into your system, they are given a hash of user data. On the client side, you provide that hash in the authorization header with each request. The server will check the hash to verify integrity. Since you have the key that you hashed against, it's highly unlikely that they will be able to create a forged hash.
Check out this link to the GitHub issue where they discuss generating keys for Hapi-auth-JWT2.
I want to encrypt the passwords used in my web application. In normally we will encrypt the passwords and save it to the property file and later we will decode it. But here if the source code is an open source then the attacker can find the decoding method in the source code and can get the password.
Another way is save the password into a key store file and then access it with the key store password. But again same problem is there, attacker can see the key store password.
Could anyone tell me any solution to this?
You could make the secret key an environment variable and then refer to it like that in code (python: os.environ('secretKey')), or (I'm assuming you're storing your code on github) you can store the secret key in a file and add that file to .gitignore
I would like to protect my database of secret information with a master key or master password and encrypt the data. Only if the user enters the correct master key, the data will be decrypted.
Obviously, when creating the master key, I should only save this as a hash value (e.g. SHA). But then I also need a key to encrypt the data with (e.g. AES). I thought of using the master key's hash value as the key for encryption.
But probably, this is not safe, right?
If the user enters a key, the hash is calculated and compared to the saved hash value. If they are the same, the database should be enrypted.
But saving the master key's hash value and using it as the key for encryption is probably a security risk, right?
Should I rather use the actual (plaintext) version of the master key to encrypt the data with?
Or just leaving out the step with comparing the hash value to the entered password and instead just trying to encrypt the data with the password entered?
I hope you understand what I'm trying to tell you about my problem. Thanks a lot in advance!
It is always best to separate responsibilities clearly and only use one cryptographic entity for one purpose and nothing else.
For symmetric encryption (e.g. AES), you need a key, and such a key is typically derived from a password (but it can be derived from a lot of other things, like a collection of files, or even just entered directly). So this entity is "password-which-becomes-encryption-key". Use it for that purpose. No need to store the password anywhere, as deriving the correct key from it is all you need.
If you additionally want to guard access to your application or database with an account system with authentication and authorisation, you also need to manage those credentials. That's an entirely unrelated activity; look up any basic web application design guide for standard solutions.
Just don't reuse a login password as an encryption key.