Powered by GitBook

Credentials Security Solution

Services

We've two services providing credentials security

encrypted-personal-credentials-service
encrypted-admin-credentials-service

Factors for encryption / decryption

In order to encrypt / decrypt credentials we use gnupg. So beound the pallet.jar we need additional factors to run our config management:

the gnupg sec keyring (can be loaded from ~/.gnupg/secring.gpg, PALLET_HOME/.gnupg/secring.gpg or from classpath),
the passphrase, if secure key is protected (has to be provided as runtime parameter).

We use https://github.com/greglook/clj-pgp as gnupg adapter.

Source of credentials

We need some util function to

collect configuration from various places with precedence
- service-config from conventions-module
- PALLET_HOME/config.clj (PALLET_HOME defaults to ~/),
- PALLET_HOME/services/service_name.clj,
- current users name & ssh credentials

Secrets are stored in schema:

:encrpyted-credential 
  {:account "account identifier unencrypted"
   :secret "ascii armored & gpg encrypted"}

Utility for manipulating credentials

decrypt credentials & show in REPL
encrypt credentials & show in REPL
store encrypted credentials,