Encrypted gmail password in place of plain text password in alertmanager.yml

[Harsh Kumar Palsania]

Hi all,

Is there a way where we can supply an encrypted gmail password in plance of plain text password in alertmanayer.yml of alertmanager?

Kindly suggest.

Thanks & regards,

Harsh Kumar

[Stuart Clark]

On 2021-02-11 06:06, Harsh Kumar Palsania wrote:
> Hi all,
>
> Is there a way where we can supply an encrypted gmail password in
> plance of plain text password in alertmanayer.yml of alertmanager?
>

For pretty much all password authentication systems the password is
stored on the server as a hash. As a result it is required to send a
plain text version of the password from the client to allow it to be
matched (as you can convert plain text to hash but not the other way).
The only real exception is digest authentication, which is basically
never used (as it needs clear text passwords on the server which is a
huge security issue).

As a result Alertmanager needs to have the plain text password available
to send to the server.

You can use disk level encryption or store your password in an encrypted
secret store before it is deployed to the server/pod, but when it is
actually read by Alertmanager it has to be plain text.

As with all secrets in config files or environment variables you would
protect them using the permission system for wherever you are running
Alertmanager (e.g. run Alertmanager as a specific user and prevent other
users from reading the config file) or any other security features of
that system (e.g. using Secrets instead of ConfigMaps within
Kubernetes).

All standalone server systems have this requirement.

--
Stuart Clark