3

Possible Duplicate:
Standards for encrypting passwords in configuration files?

I am not sure if this question has been asked before here, I wasn't able to find it. So, please feel free to mark it as duplicate, if it is one.

I have a tool, which uses a Private Key. The path and name of the private key will be read from a configuration file. The Private Key is password protected and the password is also stored in the same configuration file (in Plain Text).

Now, My Questions are as below: (a) Is it safe to store the private key normally on disk if it is encrypted using a password and stored? (b) If I "have" to store the password in a config file only, is it possible for me to avoid storing it plain text? (I have thought of the scenario of encrypting the config file itself, but where to store the key used for encrypting it?) (c) Where can I store the config file in Linux / Windows systems so that the config file can be considered safe and not accessible to normal users?

My apologies if the question(s) sounds too naive.

Community
  • 1
Jay
  • 525
  • 6
  • 15
  • Related: [How can I avoid putting the database password in a perl script?](http://security.stackexchange.com/questions/20461/how-can-i-avoid-putting-the-database-password-in-a-perl-script) – Polynomial Dec 04 '12 at 07:05

1 Answers1

5

In reality this is not a problem that cryptography can solve. There isn't a separation of trust, the application must be able to decrypt the passwords in order to use them.

So how do you protect passwords stored in a configuration file? Prevent the attacker from reading the configuration file!

  • Keep the configuration file out of the web root.
  • Make sure your application doesn't suffer form directory traversal.
  • Disable file_priv's on your MySQL database.
  • Make sure that only your application has read access to the file.
rook
  • 46,916
  • 10
  • 92
  • 181