Encryption for values in configuration file?

muesli / beehive

A flexible event/agent & automation system with lots of bees 🐝

GNU Affero General Public License v3.0

6.28k stars 319 forks source link

Encryption for values in configuration file? #226

Closed dmoonfire closed 4 years ago

dmoonfire commented 5 years ago

Even though it would only slow down some people a little while, I think it would be better to have some of the configuration values encrypted.

        {
          "Name": "email",
          "Value": "example@email.com"
        },
        {
          "Name": "password",
          "Value": "ACTUAL-PASSWORD"
        }

I'd probably just use AES encryption and store the password there, that way there is slightly more effort to decrypt it instead of scanning a filesystem.

        {
          "Name": "email",
          "Value": "example@email.com"
        },
        {
          "Name": "password",
          "Value": "PASSWORD-ENCRYPTED-WITH-SALT",
          "Encrypted": true,
          "Salt": "754a5fafd42db24317c40806df99fd2221c7fbca785c67d9010f965c744821c6"
        }

You could use different methods for storing the salt (machine ID, cryptography API, etc). The main part is to make it slightly harder to get the passwords and secrets than just grabbing a file.

internetimagery commented 5 years ago

Are configuration files expected to be portable from machine to machine, user to user?

If not, perhaps the "password" value could instead be a string that acts as a serviceID, and the real password is stored in the os level keying. Using something like https://github.com/zalando/go-keyring

muesli commented 5 years ago

The config file is currently portable indeed. Also seeing how Beehive is usually run on a server and not on the desktop, I'm not sure a key-ring that needs to be unlocked manually is the right approach. We'll think about this some more.

dmoonfire commented 5 years ago

If you use the salt in the configuration, it would be portable since you would hopefully use the same algo (like AES) which is universal. The advantage is that you can't use a rainbow table easily to figure it out since you'd have to hash the entire keyspace to find it instead of using the pre-generated table.

If you allowed for a machine key or another approach, then it wouldn't be portable but it would be more secure since then you'd have to have the hardware to guess the password.

rubiojr commented 5 years ago

Would we be open to encrypting the entire configuration file like rclone does?

If the config is encrypted, beehive asks for the password when booting (or reads from env).
Give the option to the user to encrypt the config using a password from the environment or provided via stdin.

I've recently extracted the crypto from rclone for some other projects that I have: https://github.com/rubiojr/fcrypto

muesli commented 5 years ago

@rubiojr Yeah, I think that makes the most sense: "simply" encrypt the entire config file. Open for PRs, of course!

rubiojr commented 5 years ago

@muesli happy to take care of that. My plan was to do it after we merge the config package refactor in https://github.com/muesli/beehive/pull/251. Thoughts?

rubiojr commented 5 years ago

Implemented a quick proof of concept, would look something like https://gist.github.com/rubiojr/53c9de66138e8f1c29fd776ca0ddd2ff (on top of #251).

Should be portable across different platforms.