英文:
Scheduled process - providing key for encrypted config
问题
我开发了一个工具,可以在运行时加载配置文件。其中一些值使用AES密钥进行加密。
该工具将被安排定期从远程机器上运行。提供解密密钥给程序的一种可接受的方式是什么?该程序具有命令行界面,我可以通过它传递密钥。目前我可以看到三个选项:
- 通过命令行界面提供完整的密钥,这意味着密钥在操作系统配置级别上是明文可见的(例如CronJob)。
- 通过源代码将密钥硬编码到二进制文件中。出于多种原因,这不是一个好主意(反编译和可移植性较差)。
- 使用“1”和“2”的组合,即在可执行文件中有一个基础密钥,然后通过命令行界面接受部分密钥。这样我可以在多台机器上使用相同的构建,但无法解决反编译可执行文件的问题。
值得注意的是,我对通过反编译可执行文件获取密钥并不太担心。如果我确信有办法通过混淆等方式解决这个问题。
最终,如果我真的很在意,我就不会在任何地方存储密码。
我想听听什么是最佳实践。谢谢。
我添加了Go标签,因为该工具是用Go编写的,以防有一个神奇的Go包可以提供帮助,除此之外,这个问题与具体的技术无关。
更新:我试图保护密钥免受外部攻击者的攻击,而不是机器的常规物理用户。
英文:
I have developed a tool that loads in an configuration file at runtime. Some of the values are encrypted with an AES key.
The tool will be scheduled to run on a regular basis from a remote machine. What is an acceptable way to provide the decryption key to the program. It has a command line interface which I can pass it through. I can currently see three options
- Provide the full key via CLI, meaning the key is available in the clear at OS config level (i.e. CronJob)
- Hardcode the key into the binary via source code. Not a good idea for a number of reasons. (Decompiling and less portable)
- Use a combination of
1
and2
i.e. Have a base key in exe and then accept partial key via CLI. This way I can use the same build for multiple machines, but it doesn't solve the problem of decompiling the exe.
It is worth noting that I am not too worried about decompiling the exe to get key. If i'm sure there are ways I could address via obfuscation etc.
Ultimately if I was really conscious I wouldn't be storing the password anywhere.
I'd like to hear what is considered best practice. Thanks.
I have added the Go tag because the tool is written in Go, just in case there is a magical Go package that might help, other than that, this question is not specific to a technology really.
UPDATE:: I am trying to protect the key from external attackers. Not the regular physical user of the machine.
答案1
得分: 1
这种系统的最佳实践有两种方式:
-
系统管理员在启动时进行身份验证,在控制台上提供密码。这通常非常不方便,但实现起来相对容易。
-
使用硬件设备来保存凭据。最常见和有效的设备被称为HSM(硬件安全模块)。它们有各种格式,从USB密钥到插件板再到外部机架式设备。HSM具有自己的API,您需要与之进行接口交互。HSM的主要特点是它不会泄露其密钥,并且具有物理保护措施以防止其被提取。您的应用程序向其发送一些数据,它对数据进行签名并返回。这证明了硬件模块连接到了该机器。
对于特定的操作系统,您可以利用本地安全凭据存储,这可以提供一定的保护。特别是Windows和OS X通常都有这些功能,通常与管理员在启动时需要输入的某些凭据相关联。我不知道Linux有一个特别有效的解决方案,而且总的来说,在服务器环境中这相当不方便(因为需要手动进行系统管理员干预)。
在我处理过的每个案例中,HSM最终都是最佳解决方案。对于简单的用途(如启动应用程序),您可以以几百美元的价格购买它们。对于更多的“自己动手”,我见过它们的价格低至50美元。我没有特别评价这些产品。我主要使用的是价格稍高一些的产品,但基本思想是相同的。
英文:
Best practice for this kind of system is one of two things:
-
A sysadmin authenticates during startup, providing a password at the console. This is often extremely inconvenient, but is pretty easy to implement.
-
A hardware device is used to hold the credential. The most common and effective are called HSMs (Hardware Security Modules). They come in all kinds of formats, from USB keys to plug-in boards to external rack-mounted devices. HSMs come with their own API that you would need to interface with. The main feature of an HSM is that it never divulges its key, and it has physical safeguards to protect against it being extracted. Your app sends it some data and it signs the data and returns it. That proves that that the hardware module was connected to this machine.
For specific OSes, you can make use of the local secure credential storage, which can provide some reasonable protection. Windows and OS X in particular have these, generally keyed to some credential the admin is required to type at startup. I'm not aware of a particularly effective one for Linux, and in general this is pretty inconvenient in a server setting (because of manual sysadmin intervention).
In every case that I've worked on, an HSM was the best solution in the end. For simple uses (like starting an application), you can get them for a few hundred bucks. For a little more "roll-your-own," I've seen them as cheap as $50. (I'm not reviewing these particularly. I've mostly worked with a bit more expensive ones, but the basic idea is the same.)
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论