Is there any way to use encrypted password in redis config file ?

[Vadim Dzyuban]

Here is the what I'm trying to achieve.

Encrypted redis password <encrypted_redis_pwd> is kept in (1) python app conf file and (2) inside redis config file.

When connecting to redis db from python app, the encrypted pwd will be decrypted when passing it into Redis:

redis.Redis(host='hostname', port=port, password=decrypt(<encrypted_redis_pwd>)) 

I'm not aware how to decrypt encrypted redis password from redis config file before this value will be used for authentication whenever redis.Redis(...) is called.

Any ideas, help will be appreciated.

[Itamar Haber]

There is no Redis mechanism for storing an encrypted password in the config file. The underlying reasoning is that if someone had managed to gain unauthorized access to that file, this is most likely the least of your problems, security-wise, with that server.

--
You received this message because you are subscribed to the Google Groups "Redis DB" group.
To unsubscribe from this group and stop receiving emails from it, send an email to redis-db+u...@googlegroups.com.
To post to this group, send email to redi...@googlegroups.com.
Visit this group at https://groups.google.com/group/redis-db.
For more options, visit https://groups.google.com/d/optout.

--

Itamar Haber | Chief Developer Advocate
Redis Watch Newsletter | &&(curat||edit||janit||)
Redis Labs ~/redis

Mobile: +972 (54) 567 9692
Email: ita...@redislabs.com
Twitter: @itamarhaber
Skype: itamar.haber

Blog  |  Twitter  |  LinkedIn

[Vadim Dzyuban]

Thank you Itamar for the response.

Just wanted to have a feedback from the redis community if someone was thinking about achieving the same and share the experience.   

[Mumshad Mannambeth]

HI,

I was trying to achieve the same. I understand if someone breaks in to the server this may be the least of my problems, but to get through security audits passwords in clear text is a NONO. What if we write a script like this?

$password = 'P@ssw0rd@123'   # Command line input
# Update password in config file

sed -i 's/requirepass.*/requirepass $password/' /etc/redis.conf

# Start redis server
redis-server /etc/redis.conf


# Remove password in config file
sed -i 's/requirepass.*/requirepass PASSWORD_REMOVED/' /etc/redis.conf

See any problems with this approach? Redis wont read this conf file again I hope.

Thanks,
Mumshad

[Itamar Haber]

Redis will not reread the conf file, that's right. Alternatively, the script can simply issue a `CONFIG SET requirepass foobared` after Redis starts, instead of twiddling with files.

Either way, there's no problem with this approach as long as you're good with having the password stored in clear text in the script file... wait, what? ;)

To unsubscribe from this group and stop receiving emails from it, send an email to redis-db+unsubscribe@googlegroups.com.

[hva...@gmail.com]

As Itmar mentions, it would probably be better to have the Redis config file not specify the password, and then have a process connect to the Redis server process and issue a command to set the password.

BUT....  I'm not sure this will achieve the clearance you want for a security audit.  When a Redis client connects through the network to this Redis server, the client will transmit the password in cleartext.  You can pipe the connection through an encrypting agent to avoid the cleartext password traveling through the network, but this can create additional latency between client and server, not to mention more complexity and places for the data flow to break, etc.  It's rare for an audit to require password authentication to a service, and prohibit the password from appearing in a config file in cleartext, yet allow the password to be transmitted from client to server in the clear.

  -Greg

[hva...@gmail.com]

Oops. Itamar.  (I misspelled your name, sorry)