[Engine-devel] Dropping encryption of database password
Liran Zelkha
liran.zelkha at gmail.com
Wed May 1 05:34:18 UTC 2013
Why not do use the same technology like JBoss DataSource password
encryption?
http://docs.jboss.org/jbosssecurity/docs/6.0/security_guide/html/Encrypting_Data_Source_Passwords.html
On Wed, May 1, 2013 at 3:45 AM, Eli Mesika <emesika at redhat.com> wrote:
>
>
> ----- Original Message -----
> > From: "Alon Bar-Lev" <alonbl at redhat.com>
> > To: "engine-devel" <engine-devel at ovirt.org>
> > Cc: "Yair Zaslavsky" <yzaslavs at redhat.com>, "Eli Mesika" <
> emesika at redhat.com>, "Juan Hernandez" <jhernand at redhat.com>
> > Sent: Tuesday, April 30, 2013 10:41:20 PM
> > Subject: Dropping encryption of database password
> >
> > Hello,
> >
> > Currently we store database password encrypted using
> > org.picketbox.datasource.security.SecureIdentityLoginModule.
> >
> > This is reverse encryption with common knowledge shared secret.
> >
> > Using encryption with common knowledge shared secret is close to void
> > protection.
> >
> > So far we also stored the password as plain text at
> > /etc/ovirt-engine/.pgpass, this is going to be removed as no component
> > actually uses the .pgpass, however we do need to store non-java specific
> > password in for utilities.
> >
> > In master (aiming to 3.3), we store the database connection details in
> own
> > file /etc/ovirt-engine/engine.conf.d/50-setup-database.conf owned by
> ovirt
> > user and not world readable.
> >
> > I would like to use the same 50-setup-database.conf to store plain text
> > password and remove the java specific reversible encrypted password
> usage.
> >
> > Bottom line...
> > 1. We drop the .pgpass file.
> > 2. We store database connection information in
> > /etc/ovirt-engine/engine.conf.d/<file> that is readable only by ovirt
> usage.
> > 3. We drop the java specific reversible encryption in favor of plain
> text.
> >
> > Thoughts?
>
> I see no problem in the .pgpass , only root can access it (it has 0600
> mode , if it doesn't it is ignored by PG)
> Apart from that , this is the standard way used by PG so why not using it
> , AFAIK this is considered safe & secured
>
>
> > Alon
> >
> _______________________________________________
> Engine-devel mailing list
> Engine-devel at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/engine-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/devel/attachments/20130501/0cc55be3/attachment-0001.html>
More information about the Devel
mailing list