I create a web server with Node.js. The database is MongoDB. I'm using a json file to save the server configuration. The node module 'nconf' is used to read the json file.
Currently, all the data, including some confidential data, saved in the json file is plain text. I don't think it is security enough. What should I do to make sure the confidential data is security?
You could take a look into the crypto library of node.
Here is a link to the documentation: Crypto Node.js
You could use this to encrypt some of the data that is contained within the file. But you should also probably consider removing the sensitive information and find another means to store it else where, perhaps within a database, like your MongoDB.
Related
I'm looking for a way to encrypt the entire DB and keep the ability to search for data although it's encrypted.
I have seen a lot of questions regarding encryption of at rest data in Mongo, but none of it got an answer that can help one complete a full flow for their application.
I hope to present here my findings and get feedback and more ideas (I still have some questions).
Encryption options:
1.mongoose-encryption.
Complete solution! Can encrypt all fo the db with minimal work for you!.
2. Procona mongodb - I didn't had a chance to test it, I've spent hours trying to install and get it to run, without luck (this is probably just me though..).
3. Create get and send methods to encrypt and decrypt your data in the Module level.
My requirements for at rest data encryption are:
Application layer does not need to be involved in the encryption- decryption process. Should be like we don't even have the data encrypted (for the most part).
We can perform search and lookups on encrypted data.
I don't know how to do that but hopefully search for partial words and phrases in encrypted text fields.
Of course that all data is encrypted expect for Object IDs.
My approach:
I want to try and use mongoose-encryption to use all the benefits of this amazing plugin.
I also want to add to the schema the Hash of the Real value in the encrypted field so I could preform find operations on encrypted field.
The problem:
I can't seem to find the correct mongoose Hook to temper with the non-encrypted data before mongoose-encryptions hides it. So I can't generate my Hash.
This doesn't work:
Users.pre('save', () => {
this.hashedName = hash(this.name)
console.log(":(")
});
Also as mentioned above, searching for partials and phrases in encrypted data.
With my approach we could find someone named "Danielle" but we can't search in Hash for users with a name that starts with "Dani".
Please give me your opinion as well for my approach. I know that this is a topic without easy to find solutions.
If you want to encrypt the data on disk, encrypt the entire disk and encrypt the swap. If someone gets a copy of the database (e.g. you forgot to put auth on the database and someone connects to the database and dumps the data) the plaintext is exposed.
If you want the database to store encrypted data only, use client side encryption. This requires key management on the client side but makes it so that someone dumping your database doesn't get the plaintext.
I'm reading on Sails attribute documentation the encrypt and decrypt functions for attributes and tested it on a random field alongside with mongodb. This worked well and encrypted the field before saving it on database. So, according to documentation i can decrypt that data with decrypt method. This saves a lot of code validations and library importing. But, i was wondering if is possible:
To be able to verify without decrypt data (Like the compare function on bcrypt library)
To encrypt data on a production db, then change the project (update, replace models or something similar) and then be able decrypt that.
To be able to encrypt data, share the db with another sails project and be able to decrypt (or verify with something related to question 1) the encrypted data.
I just figured it out, seeking for related content on project.
I've found an object called dataEncryptionKeys in /config/models.js file, with the corresponding documentation reference. This answers questions as it is supposed to behave as the key (or keys) for decryption. For the answer of first i think that it will be ok with the decrypt method for most use cases.
I am attempting to implement site authentication. I have express routes, a mysql db, and login/register react forms. I am using password-validator (https://www.npmjs.com/package/password-validator) to disable/enable the submit buttons. I'll validate on the server, too. password-validator takes an array of strings to black/whitelist. I'm wondering where I should store these black/whitelists.
I figure I shouldn't store them as json files in the client folder, as it could be altered by the user. Might not matter much if I validate on the server, too, but I'd like to have a single source if I can. I'm unsure if it's possible or prudent to store them in the mysql db. Only other option I can think of is storing them as json on the server. Endpoints with express are ready to go, or I could use socket.io (also ready to go).
Any insight into the best way to do this is appreciated.
So if any client side storage like cookie and any persistent database are not allowed to be used. How would you persist data from user input in a Node.js server? array is not an option as users should only see their own input. I thought of using session(express-session), but it essentially uses cookies correct?
You can probably use local storage.
This package seems interesting: node-localstorage
I'm storing options data in a chrome extension using chrome.storage.local.set
How secure is that data?
Can it be read easily by anyone who has access to the file it is stored in?
It is not secure, and per the official chrome.storage docs is stored unencrypted in the user's profile folder under their Chrome data directory. You will need to use some additional encryption if you are storing more sensitive data using these APIs.
They are stored in a LevelDB database in the following location:
C:\Users\<User>\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\<Extension id>
It's saved in the following path (For other OS, the path is similar), can be easily accessed.
C:\Users\<User>\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\<Extension id>
Basically, since the data is saved in local machine, you can't trust it as secure, since there're tons of ways to get the data. For example, other extension/scripts may overrite chrome.storage.local.set and they may get the data first, like what Storage Area Explorer does.