Best IT Recipes

Processing passwords in a production configuration for automatic deployment

I saw related questions here, but they don't seem to answer exactly what I need.

We use Powershell scripts to deploy our applications, and information similar to passwords in configuration files for most environments (UAT, etc.) is presented in plain text. This is not a big problem, but when it comes to PREPROD and PROD, it is a big problem. Thus, we had some tokens in the config, such as "{{promt-password}}", which will give the login dialog ( Get-Credential ), and the person performing the deployment can enter the credentials, and the deployment continues .

But that doesn’t help automatic deployment (which means one-click deployment with tools like TeamCity)

Should I switch to asymmetric encryption ( http://msdn.microsoft.com/en-us/library/as0w18af.aspx ), where the password is encrypted using the public key entered in the config, and the private key is saved (as described here http : //msdn.microsoft.com/en-us/library/tswxhw92.aspx ) in the "agent" (like in a virtual machine where TeamCity initiates deployment and has limited access) that performs automatic deployment and can it decrypt the password? Not very strong in cryptography and sttuf, but does it seem like the way to go? Any other suggestions? How do people handle this automatic deployment?



Update:

Ok, I went ahead and implemented it. I wrote a Console application in C # that uses Crypography libraries. The application generates keys:

 RSACryptoServiceProvider rsa = GetRsa(containerName); File.WriteAllText("keys.kez",rsa.ToXmlString(true));

I also exit the public key:

 File.WriteAllText("public.pke", rsa.ToXmlString(false));

Provide the public key to everyone who needs to encrypt the password, and ask them to enter the password in the config. Place the keys.kez file in any agent that should start the deployment.

+14
c # powershell deployment production-environment configuration
May 26 '11 at 5:15
source share
6 answers

Asymmetric encryption is certainly a winner here in terms of security and simplicity. Thus, I have successfully used SaaS applications for production.

There are a few tricks. One, as you mentioned, make sure that a pair of public / private keys are installed on the host, and not stored in configuration files or in code. Two, suppose the key management and generation tools provided by MS are weak and ugly and plan accordingly (we created a simple keygen executable for the operations that will be performed during deployment.)

+3
May 26 '11 at 6:17
source share
— -

Not quite an answer, but a sentence or another question.

Why not save the password in an encrypted line in the configuration file

 $credential.Password | ConvertFrom-SecureString | Set-Content c:\temp\password.txt

As far as I understand the documentation, a process running with the same credentials can return it

 $password = Get-Content c:\temp\password.txt | ConvertTo-SecureString $credential = New-Object System.Management.Automation.PsCredential ` "username",$password

You can replace $credential.Password with read-host -assecurestring

+2
May 26 '11 at 7:09 a.m.
source share

As you said in your question, your password is stored in PROD in the configuration file in plain text. No amount of encryption can help with this. It’s also a kind of vicious circle - how are you going to protect the encryption key?

The key here is to consider a practical approach to your organization’s business processes when it comes to deployments.

Let me explain this with an example. Assume that the deployment to PROD is done by the infrastructure team. This command has access to the password that is required in your configurations. They will not disclose this password to you (the deployment developer) for security reasons. You want them to not enter a password during each installation. To think about it, this is the best you can do. They will need to enter a password at least once.

The cryptography solution doesn’t actually work, because your deployment package will need a way to decrypt the password anyway, and if it can do it without user input, so you can (the developer), and that’s not acceptable.

Since the password is stored in the PROD configuration files in plain text anyway, request the deployment package for the password only if it does not know. As soon as a member of the infrastructure team delivers the password, save it in a file locally. Better yet, store it in a universal container. You do not need a password for this. The next installation around the key will already be known, and your installation will not need to request the key again. Of course, you also need to provide a way to change the saved key.

The tokenizing approach described by you is used. I have been doing this for quite some time, quite successfully. (For example, passed external security checks). Since PROD has a simple text password, PROD should be considered a safe (secure) environment. And since it is safe, there is nothing wrong with caching (storing a copy) of this secure password in it.

+1
May 26 '11 at 7:35
source share

If you use asymmetric or symmetric encryption, you need to save the decryption key in your code so that you transfer the security risk from the configuration file to your executable file (agent). This is much better from the point of view of obfuscation, but the executable file can apparently be reverse engineered by someone specific enough to retrieve the decryption key.

0
May 26 '11 at 5:50 a.m.
source share

How to create a scheduled task to run deployment scripts? Define the task to be performed with a specific user account and grant the appropriate account permissions.

0
May 26 '11 at 5:50
source share

An interesting question: I also work with several environments, and I have a problem with different settings for different environments. We really do not enter passwords in the configuration (a compromised machine or an engineer error, etc.). If we do this for rather insecure material, we will keep their plain text.

With that in mind, can the collector simply not have a list of passwords for each environment?

If you do not want you to save them in plain text, you can do something with PowerShell - I'm sure Jaykul made a record on this return path when my (fast) googling just returned something from Halr (both are MVP PowerShell, so this should be interesting).

http://halr9000.com/article/531

0
May 26 '11 at 7:03
source share


More articles:


All Articles