Comments (9)
You can generate a key on startup of your application which will be used to encrypt your user/password. The key can be stored outside the database on the user's machine and read into memory at startup.
Then you can decrypt the username/password. This is a very simple solution, unless you want to use an external library that might offer more realistic implementation strategies.
from kapowarr.
So basically: "Encrypt it with a key and put the key somewhere on the system, outside the database"? That doesn't solve the problem. The project is open source so everyone can simply figure out where the key would be stored and when "stealing" the database, also grab the key and use it to still get access to the raw credentials. It's basically no better than storing the key in a variable inside the code.
from kapowarr.
Generate it per user on their machine based on machine info. I do this for my codebase for JWT encryption (not credentials).
Yes, if you have access to the users machine, then you'd be compromised. You could do some hardware based key to generate a unique encryption key, but then you wouldn't be able to move from one instance to another. Likewise with docker could hit some roadblocks.
Just wanted to throw some suggestions out, I'm honestly not sure how to solve with a home grown solution.
from kapowarr.
I think in a professional env I would put it in azure key vault or similar. usually the recommendation is store them in a config file or the env variables rather than a DB.
Encrypting them does no use if the weak point if the front end. if I can bypass auth and get the settings API to load then it doesn't matter what encryption you use it will be decrypted for me.
from kapowarr.
I would recommend to just look at what was done in sonarr and model after that. Open source has a lot of limitations as all code is visible, so if you want to add extra security, you have to put more onus onto the user when setting up the application (like setting env variables, etc).
from kapowarr.
As I understand it, for Mega at least, you need to send the username and password over in encrypted form (base64?). So what I'd do is store the username and the encrypted string. The application has what it needs to get the data and if someone gets hold of the db, they can still use it to access the mega account but nothing else (the big risk of plaintext passwords is where passwords are reused).
from kapowarr.
Generate a key on install, and salt the passwords before encrypting. Decrypt the values from env/db when required.
https://github.com/tasos-py/AES-Encryption-Classes/blob/master/aes_encryption.py
from kapowarr.
So:
- Generate a key
- Use it to encrypt the data and store it
- Use it to decrypt the stored data for usage in code
The problem then is that everyone that has access to the database file can also just grab the key to decrypt everything. It's like having a lock, but with the key hanging next to it; does the lock really work then?
from kapowarr.
I think the key has to be at another point than the database at least. But yes, you are right-- for example Wordpress handles it the exact same way.
from kapowarr.
Related Issues (20)
- Add special handling for Omnibuses
- Ability to convert image files HOT 4
- UID/GID support for container HOT 5
- Crash when importing existing library HOT 1
- Problem searching for comic with many special characters and a slash in its series title HOT 6
- Downloads hang on importing HOT 12
- Ability to write tags to issues HOT 2
- Better clarity around convert settings HOT 7
- Make 'Save' button in settings keep track of changes HOT 1
- Converting comics should only convert known files HOT 1
- Ability to verify downloaded/known issues and volumes HOT 3
- Add progress reports for tasks HOT 2
- Unable to add root folder due to hard-coded (plex-related) path in root_folders.py HOT 2
- Override database location HOT 3
- Queue is frozen HOT 3
- Posters bug out when deleting volumes
- Download from WeTransfer
- Crash on comicvine parsing during library import: ValueError invalid literal HOT 1
- Title on get comics replaced / with – and it doesn't get found HOT 1
- Cannot Find Popular Comic HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kapowarr.