4

I'm working on a small team trying to put an R script onto an AWS EC2 instance that has RHEL7 installed. The problem is the library "keyring" which we use on our laptops doesn't work without a compatible keyring daemon, which I have been unable to get working on the EC2 instance.

[ec2-user@ip-10-XX-XX-XXX ~]$ gnome-keyring-daemon -r
** Message: couldn't connect to dbus session bus: Cannot autolaunch D-Bus without X11 $DISPLAY
** Message: Replacing daemon, using directory: /run/user/1000/keyring
GNOME_KEYRING_CONTROL=/run/user/1000/keyring
SSH_AUTH_SOCK=/run/user/1000/keyring/ssh
[ec2-user@ip-10-XX-XX-XXX ~]$ R
...
[Previously saved workspace restored]

> keyring::key_set('test', 'test')
PASSWORD: ****
Error in warn_for_keyring(keyring) :
  argument "keyring" is missing, with no default
In addition: Warning message:
In default_backend_auto() :
  Selecting ‘env’ backend. Secrets are stored in environment variables

For now we're using an R environment file, but we'd prefer some formed of hashed storage. Can anyone recommend a method for secure key storage that we can use in production?

Jon M
  • 164
  • 1
  • 12
  • 1
    I'm no security expert, but you probably need to be more specific about your needs. Is it sufficient to check that a user knows a password (so storing a hash of it would be enough), or do you need to store some key in a secure way and recover it for some other use? The digest package has various functions for computing hashes that might be good enough for the former. The latter is what the keyring package is designed for, so if you can't get it working, you might be out of luck. – user2554330 Feb 02 '18 at 19:53
  • It is the latter. The password needs to be retrieved automatically by the program. And the password can't be stored in plain text. – Jon M Feb 02 '18 at 21:11
  • Generally speaking you cannot securely store a password or secret on a server. This is known as the *["Unattended Key Storage"](https://www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf)* problem. Gutmann calls it a *"wicked hard"* problem. It is a problem without a solution. Refer to Gutmann's book for some potential remediations that move the problem around. – jww Feb 02 '18 at 21:38
  • To answer *Can anyone recommend a method for secure key storage that we can use in production?"* - I believe you have two choices. The first is filesystem ALCs; and the second is Amazon's CloudHSM. The Linux crowd has not warned up to the fact the userland needs help from the OS when protecting secrets. OS X and Windows have protected storage, but Linux still lacks it. – jww Feb 02 '18 at 22:53

0 Answers0