You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have a configuration file that holds many details that my app uses for various purposes such a SMTP password, db encryption token, etc. That configuration file is encrypted against a password using some golang code i wrote. Lets call it the "Config password"
Context and Intent:
This is a linux server in a data center with highly sensitive information stored on it.
The intent here is that if someone gets remote or physical access to the machine they cannot decrypt the configuration data stored in the config file.
Currently i store the password to decrypt the configuration file in Systemd file, and so anyone that gets physical access can find it.
How can i make it so that only that app can access the "Config password" that i stored into the TPM / KeyRing ?
The only way i can see this working is if the ServiceName and UserName is stored in the golang binary. It would then know the args to pass into go-keyring to retrieve the "Config password".
I feel like there is something i am missing as any attacker can decompile the golang binary and find the ServiceName and UserName.
The text was updated successfully, but these errors were encountered:
gedw99
changed the title
How to design a binary to access it on startup
How to design an encrypted file with this ?
Jan 23, 2021
I don't think this is something this project is useful for. It's based on the system keyrings where the use case is the user of the machine knows the keyring password and thereby can unlock whatever is stored there. If you can't provide the keyring password temporarily from "outside" then this doesn't protect anything.
Storing a symmetric encryption key in the keyring should be more secure than storing it in a file. It would be better secured against physical access as the keyring's contents are encrypted at rest.
The service and user values aren't meant to be sensitive. They can be set as plaintext config values passed to your app. The password is sensitive and should only be stored in the keyring.
I have a configuration file that holds many details that my app uses for various purposes such a SMTP password, db encryption token, etc. That configuration file is encrypted against a password using some golang code i wrote. Lets call it the "Config password"
Context and Intent:
This is a linux server in a data center with highly sensitive information stored on it.
The intent here is that if someone gets remote or physical access to the machine they cannot decrypt the configuration data stored in the config file.
Currently i store the password to decrypt the configuration file in Systemd file, and so anyone that gets physical access can find it.
How can i make it so that only that app can access the "Config password" that i stored into the TPM / KeyRing ?
The only way i can see this working is if the ServiceName and UserName is stored in the golang binary. It would then know the args to pass into go-keyring to retrieve the "Config password".
I feel like there is something i am missing as any attacker can decompile the golang binary and find the ServiceName and UserName.
The text was updated successfully, but these errors were encountered: