How are secure environment variables secured?
1,196 views
Skip to first unread message
Andrew Todd
Mar 13, 2015, 12:43:49 PM3/13/15
to go...@googlegroups.com
Hi,
I couldn't find any documentation on this, and looking through the source code hasn't picked up anything yet -- how do secure environment variables work? We didn't create a passphrase or anything when we created our Go server, but values are being encrypted with something. How can I secure whatever master key is in use? What algorithm is being used? Thanks.
I couldn't find any documentation on this, and looking through the source code hasn't picked up anything yet -- how do secure environment variables work? We didn't create a passphrase or anything when we created our Go server, but values are being encrypted with something. How can I secure whatever master key is in use? What algorithm is being used? Thanks.
Aravind SV
Mar 13, 2015, 1:08:35 PM3/13/15
to Andrew Todd, go...@googlegroups.com, Jyoti Singh
Secure environment variables in Go encrypt values, using a generated cipher key (unique per server, found in a file called "cipher" in your config directory). The value is encrypted in the configuration file and in console output. So, even if the value is echoed out, it will be masked in the console output.
However, these variables will be stored unencrypted in the database, and will be made available to tasks, unencrypted (obviously, they might want to use them). If the scripts using them cannot be trusted, then the security provided by the secure environment variables themselves cannot be trusted. For instance, there's nothing stopping a script from emailing the secured value to someone, or writing it into a file in /tmp. As you might imagine, such usages cannot really be prevented (or, as someone recently pointed out, not worth the effort to try to secure against someone so malicious).
There's talk about changing from DES to AES for this. Jyoti (CCed), who has spent some spare time on this, might be able to tell you more.
Cheers,
Aravind
On Fri, Mar 13, 2015 at 12:43 PM, Andrew Todd <andrew....@gmail.com> wrote:
Hi,
I couldn't find any documentation on this, and looking through the source code hasn't picked up anything yet -- how do secure environment variables work? We didn't create a passphrase or anything when we created our Go server, but values are being encrypted with something. How can I secure whatever master key is in use? What algorithm is being used? Thanks.
--
You received this message because you are subscribed to the Google Groups "go-cd" group.
To unsubscribe from this group and stop receiving emails from it, send an email to go-cd+un...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages