Where to store passwords needed by linux processes?

Question

I am working with C++ processes on a linux (CentOS 8) environment. These processes should be able to access an encrypted file on the system.

Where should I store the password for this encrypted file?

My only idea is to hardcode it into the C++ source code, but I doubt this solution is secure.

Why store it at all? You could open the file and it’s decryption wrapper at startup after user input. Than drop privileges so you can’t modify it anymore for that run. And yes hardcoded is insecure. — LvB, Jul 08 '21 at 08:55
Why is the file encrypted in the first place? What are you protecting against? Are you protecting against the user getting the key, the user decrypting the file, an attacker getting the key, an attacker decrypting the file or an attacker modifying the file? — Gamer2015, Jul 08 '21 at 09:05
How is the file encrypted? You can't actually encrypt (meaningfully) with a password - even "password-based encryption" just runs the password through a key-derivation function and then uses standard keyed encryption internally - and the only reason to use a password at all is if the user needs to remember it. Also, are you trying to prevent the user from reading the file (don't bother, impossible) or are you trying to prevent other users from doing so, or what? — CBHacking, Jul 08 '21 at 09:18
It's an RSA private key encrypted with AES256 generated by openssl genrsa command line utility. It's encrypted to ensure, that it will be only used by only these few trusted processes. — Sylvester, Jul 08 '21 at 09:25
Related: https://security.stackexchange.com/questions/12332/where-to-store-a-server-side-encryption-key — mti2935, Jul 08 '21 at 11:19
@Sylvester user input is always an option… might not be convenient or desirable… but those do not exclude them from being an option… (just look at how hashicorps vault works) — LvB, Jul 08 '21 at 11:31

Where to store passwords needed by linux processes?

0 Answers0