3

A configuration file (.yml) is being used for a rest api developed with Dropwizard (0.9.2 - latest release). Most of the credentials needed by the api such as database password secret key etc., are stored in the configuration file.

We have implemented most of the things based on the items mentioned in the reference found at dropwizard configuration reference .

The question is clear. How secure is it (storing these information in a configuration file as plain text.)? If not, what is the proper way of doing this?

ingenihero
  • 33
  • 4
  • 2
    First approach is to use encrypted configuration files: have a look at [dropwizard third-party modules](http://modules.dropwizard.io/thirdparty/). There you should find [palantir/encrypted-config-value](https://github.com/palantir/encrypted-config-value). The other option is to use shell variables substitution (when deploying to Openshift for example): check [this excellent answer](http://stackoverflow.com/a/23898581/25429). – zloster Feb 23 '16 at 19:54

2 Answers2

1

Yes, it's not secure indeed. Even worse if the configuration file is committed to a public repository or for that matter any repository (version control). One way which I follow is to maintain a local copy (not to be committed to any repository) of the config (.yml) file which has all the sensitive keys & details etc and maintain another example config file which has the sensitive details masked (some dummy strings instead of actual values). This example config can be committed to your repository as it has sensitive details masked.

For all purposes of running your code locally or elsewhere use the local config file. This way you don't risk it to exposing sensitive data on a repository. There is an overhead though in keeping your example config in sync with your local copy whenever you make any modifications.

Sashidhar Thallam
  • 167
  • 6
  • 1
    Thank you. I will go with your proposal. A fully informative local copy and a fake copy for pushing to repository. I will also move the configuration file from root of the project to a special directory. – ingenihero Feb 23 '16 at 12:26
  • @Sashidhar There are better ways to achieve the desired level of security. Check my comment on the question. – zloster Feb 23 '16 at 19:56
  • @zloster Thank you very much for the pointers. I'll check them. – Sashidhar Thallam Feb 24 '16 at 09:14
0

I just looked for the solution for the similar issue. I want to find an solution to not include the keystore password in the config file. Finally I got an solution for it.

Just stored credential keys in the config file. And then use a substitutor to replace the keys with it's related values. But this need a secure key value services to get the values of the keys.

Overriding server connector config with env variables with dropwizard

Community
  • 1
  • 1
Kang Li
  • 606
  • 7
  • 10