david-poindexter
commented
5 years ago Thanks for logging my recommendation @ahoefling
Open SkyeHoefling opened 5 years ago
david-poindexter
commented
5 years ago Thanks for logging my recommendation @ahoefling
SkyeHoefling
commented
5 years ago This is going to need further discussion because encrypting and decrypting with this module or a library from DNN still creates a security risk. If someone knows where the command is they can execute the same command from the assembly to run the decryption algorithm. If we add a custom salt such as the machine name that would be sufficient. Only problem with that is when the website is moved from server to server the salt will be invalid and break the encryption.
Interested in other people's thoughts on an effective way to encrypt the secrets file
david-poindexter
commented
5 years ago Perhaps this is done in steps. Standard encryption for now would be better than plain text. Then another issue can be added for additional security if desired.
Hashing was the other idea I shared during the TADUG meetup. Look at the way DNN stores passwords.
Is your feature request related to a problem? Please describe. The secrets.json.resources file is stored in plain text and should be encrypted. This will add another layer of security to the Key Master