How do I store details securely with django?
Lance Haig
I have a project I am working on https://github.com/lhaig/usery/ and
part of the roadmap of the project is to add more cloud types to the list.
I wanted to allow admins for these services to login and create records
for their different clouds in the DB and then use these when people
request access to these services.
I need to find a secure way to store these credentials so that even if
the DB is compromised that the credentials are safe.
Does anyone have suggestions on how I can accomplish this?
I would really appreciate some advice.
Regards
Lance
Mike Dewhirst
> Hi,
>
> I have a project I am working on https://github.com/lhaig/usery/ and
> part of the roadmap of the project is to add more cloud types to the
> list.
>
> I wanted to allow admins for these services to login and create
> records for their different clouds in the DB and then use these when
> people request access to these services.
>
> I need to find a secure way to store these credentials so that even if
> the DB is compromised that the credentials are safe.
your other assumptions about the threats?
How many sets of credentials will there be?
In future, will you be using simple credentials or tokens, certificates,
multi factor auth?
If this is a prototype and only a few sets are involved you can store
credentials in a file or one file per set and write a method to fetch
them as required. That will keep them out of the database and let you
rejig the method after you have decided how it should really work.
PASCUAL Eric
Hi,
It can depend on which deployment option you plan to use for the application.
For instance, a Docker deployment orchestrated by Kubernetes gives the option of using secrets for sensitive information, which a hoster such as GCP manages conveniently. In this kind of deployment, configuration (and secrets) are passed to the app as environment variables, on which Kubernetes configuration maps and secrets are mapped to. Thanks to this, values are stored nowhere in the app code, companion files or database.
Regards
Eric
Sent: Sunday, November 11, 2018 11:07:14 PM
To: django...@googlegroups.com
Subject: Re: How do I store details securely with django?
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/c8819341-7c60-56ee-6298-3a6a7897e9b1%40dewhirst.com.au.
For more options, visit https://groups.google.com/d/optout.
Lance Haig
Thanks for responding.
My answers inline
On 11/11/18 11:07 PM, Mike Dewhirst wrote:
> On 12/11/2018 12:47 AM, Lance Haig wrote:
>> Hi,
>>
>> I have a project I am working on https://github.com/lhaig/usery/ and
>> part of the roadmap of the project is to add more cloud types to the
>> list.
>>
>> I wanted to allow admins for these services to login and create
>> records for their different clouds in the DB and then use these when
>> people request access to these services.
>>
>> I need to find a secure way to store these credentials so that even
>> if the DB is compromised that the credentials are safe.
>
> I agree credentials should not be stored in the database but what are
> your other assumptions about the threats?
>
> How many sets of credentials will there be?
>
> In future, will you be using simple credentials or tokens,
> certificates, multi factor auth?
The application is a user sandbox portal to allow admins to grant X
number of days access to a cloud for testing and discovery.
It currently is focused on openstack but he roadmap plan is to add
docker Kubernetes etc..
So I need to have the ability for the cloud admins to add or remove
authentication details as they are needed.
>
> If this is a prototype and only a few sets are involved you can store
> credentials in a file or one file per set and write a method to fetch
> them as required. That will keep them out of the database and let you
> rejig the method after you have decided how it should really work.
>
not scale very well when you need to add more and more.
Lance Haig
Hi Eric,
Thanks for the response.
This idea has an end goal of being deployed in a resilient way so most probably docker with some form of orchestration, Docker swarm or Kubernetes.
The credentials are mainly stored in a .env file at the moment and could be added to the secrets but I need for people who are admins for a particular cloud to add their cloud details to the app and then store their credentials securely.
Unfortunately this will need a dynamic storage mechanism which i
don't know how to do yet
Regards
Lance
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/VI1P193MB043243D0747282C2D96F60E38CC00%40VI1P193MB0432.EURP193.PROD.OUTLOOK.COM.
Mike Dewhirst
the surface, if they are temporary credentials I cannot see much need
for heavy duty security.
If the perceived risk is database compromise it might be better to
configure the database or the database server with an ACL including only
the Django server IP address and perhaps one or two trusted people.
Maybe Kubernetes secrets is the eventual way forward but scalability is
assured if you can keep the creds in the database.
What about a separate non-public schema (assuming Postgres) for creds?
I'm sure you could lock that down to particular permission groups which
ought keep things secure enough.
The bottom line question: What is lost if temporary creds are compromised?
Risk is hazard multiplied by likelihood/opportunity
If you can reduce either side of that equation you reduce risk.
What plan do you have to execute to recover from the feared event
when/if it happens?
When all things are considered the answer to that last question
determines how much effort is warranted.
PASCUAL Eric
Hi Lance,
but I need for people who are
admins for a particular cloud to add their cloud details to the app and then store their credentials securely.
I'm not sure to understand the need for adding cloud details to the app for the admins.
The suggestion I made assumed that sensitive information is managed as K8S secrets. As long as the admins have GCloud (for instance) credentials set (which are stored and managed at GCloud level), they can administrate
the secrets resources by "applying" the corresponding YAML descriptors remotely from their workstation. The sensitive values are thus stored nowhere inside the application itself, but passed to the containers at runtime as environment variables.
Maybe I've misunderstood your need and sorry in this case if my answer is off topic.
Best
Eric
Sent: Monday, November 12, 2018 9:07:30 AM
Pradeep Singh
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/VI1P193MB0432916809AFE450553011D98CC10%40VI1P193MB0432.EURP193.PROD.OUTLOOK.COM.
Lance Haig
Hi Eric,
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/VI1P193MB0432916809AFE450553011D98CC10%40VI1P193MB0432.EURP193.PROD.OUTLOOK.COM.
Lance Haig
Hi Mike,
Thank you for taking the time to read this.
I have highlighted these sentences in your response
The bottom line question: What is lost if temporary creds are
compromised?
The credentials have high level access to the backed system think e.g kubernetes admin so compromise would mean full access to kubernetes to add remove delete anything.
What plan do you have to execute to recover from the feared event when/if it happens?
This is a valid question, The recovery for these would be rebuild of a cluster or service. depending on the damage caused.
It seems my idea of making these options configurable via a web UI will not easily be done.
I will have to stay with the current deployment plan.
Thanks
Lance
PASCUAL Eric
Hi Lance,
Well, I was off topic. Sorry for this :/ I understand your need better now.
There are chances you've already thought to this option, but what about storing the sensitive data encrypted with a key based on a passphrase the user must provide when logging, in addition to the usual credentials ? This passphrase would not be stored anywhere, so even if the DB is compromised, the sensitive data would not be usable.
Eric
Devender Kumar
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/VI1P193MB04323838756D4FC42BD744728CC10%40VI1P193MB0432.EURP193.PROD.OUTLOOK.COM.
Mike Dewhirst
Lance Haig
Thanks I will take a look at that
Lance
--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/df4e7fc2-cf4d-4742-9fd3-adc1e7d037c6%40googlegroups.com.
Lance Haig
Thanks Eric,
I did not explain myself properly so the mistake was mine.
Thanks for the help.
Lance
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/VI1P193MB04323838756D4FC42BD744728CC10%40VI1P193MB0432.EURP193.PROD.OUTLOOK.COM.
Lance Haig
Hi Dev,
I believe that it would not provide much more security around the details.
Thank you for responding.
Regards
Lance
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CALZ%3DbEKYs7TkjPPbSfB5ogXyGUbswgRkju8%3DitEgu_%2B9cSRD-A%40mail.gmail.com.