0

I have a script that makes various API calls. This script will be run unassisted, so I need to store the login credentials to these and other services in a local config file.

I'm pretty sure it's a horrible idea to store this sensitive data in plaintext in a .txt file. How can I do this more securely?

I saw a similar question but the answers were very C# specific. How to securely save username/password (local)?

Community
  • 1
  • 1
Ethan Lie
  • 41
  • 1
  • 2
  • Possible duplicate of [I need to securely store a username and password in Python, what are my options?](https://stackoverflow.com/questions/7014953/i-need-to-securely-store-a-username-and-password-in-python-what-are-my-options) – Don Kirkby Oct 28 '18 at 00:02

2 Answers2

4

If you encrypt the file, how are you going to protect the key that encrypted it? You're going to buy an expensive HSM is what you're going to do.

Barring that, a good, general solution is as follows:

  1. Create an OS user, say foo
  2. Create a (permanent) OS environment variable for user foo, with the login password
  3. Make foo the owner of the script and only give foo right to run that script
  4. Run the script as user foo
  5. Read the OS environment variable in your script

Only foo or root can read foo's OS environment variables. Root can always read everything anyways.

Neil McGuigan
  • 46,580
  • 12
  • 123
  • 152
  • It is possible to remain in the config file so long as access to the file is tightly controlled such that only Root and Foo may read the file and nobody can modify the file. – micker Jun 29 '16 at 19:24
  • @micker no. your solution is local and mine is general. yours will not work for open source projects – Neil McGuigan Jun 29 '16 at 19:25
1

You need to use something like this https://docs.python.org/2/library/crypt.html

I have seen this used to store credentials for severs in an object database.

ctrl-alt-delete
  • 3,696
  • 2
  • 24
  • 37