When it comes to security, too much can never be enough. Configuration files are a commonplace in storing passwords and other sensitive data for your database, email access, third-party services, and other systems that you need access to. It’s safely stored in your server file system that only you have access.
While we have developed Config to be a highly-secured platform for your configuration settings, we understand that most, if not all of you, are still skeptical about giving out sensitive data to a third-party service. So here is an option on how to maximize the use of Config’s features without having to give out any of your sensitive information.
No application code changes required. The encryption process is done prior to uploading your configuration in Config, while the decryption process is done closest to the to the time of actual deployment of your configuration files.
Client-side Encryption Using the Config Command Line Interface
This set up is for users that have sensitive information in plain text format within their configuration files. Follow the steps below if you don’t want to store plain text passwords in Config. Decryption operation is automatically performed within the security of your own server.
config-cli is a downloadable tool within Config. It is stored in your Linux or Windows-based server so you can pull your configuration files from Config.
While its main function is to get your configuration files without Config needing to access your server, you can also use config-cli to generate encrypted strings for your sensitive data before you import your configuration file to Config.
- Setup config-cli:
- Installing config-cli on Red Hat/CentOS 7 using Ansible: follow Steps 1-8.
- Installing config-cli on Red Hat/CentOS 7: follow Steps 1-5.
- Installing config-cli on Windows: follow Steps 1-4
- Create a password file in any location within your file system.The password file will be used to encrypt/decrypt sensitive data when you use config-cli to pull your configuration. Remember to secure your password file so that other users will not have access to it.For example, we create a password.txt file and store it in C:\config-cli\password.txt:
- Execute the following command:
./config-cli.sh encrypt -pfile password.txt
config-cli.bat encrypt -pfile password.txt
You will be prompted to put in the string that you need to encrypt. The output should be something like the image below:
- Copy the output of the encryption operation, enclosed in _E() and replace it as the value in your configuration file. Once you have done this for all sensitive data, you can now upload it to Config. NOTE: You can also copy-paste this string using the Config web interface.
- Once encrypted data is in Config, just execute the deploypull config-cli command to pull your configuration file. Add the -pfile option and specify the path of your password file. If you do not specify a -pfile option and the configuration has encrypted data, you will be prompted for the password:
The output file will have the decrypted string that you can now use in your application.
In future Config releases, we’re rolling out other options that will make it easier for you to encrypt sensitive data. Watch out for updates in this tutorial!