如何从node.conf隐藏敏感数据？ [英] How to hide sensitive data from node.conf?

问题描述

有人可以给我举一个在下面提到的 corporatePasswordStore 的例子：

https://docs.corda.net/node-administration.html?fbclid=IwAR0gRwe5BtcWO0NymZVyE7_yMfthu2xxnU832vZHdbuv17S-wPXgb7iVZSs#id2

Can someone please give me an example for corporatePasswordStore that is mentioned here:
https://docs.corda.net/node-administration.html?fbclid=IwAR0gRwe5BtcWO0NymZVyE7_yMfthu2xxnU832vZHdbuv17S-wPXgb7iVZSs#id2

最近几天，我一直在做很多有关如何从 node.conf ;这对我来说是个新话题，到目前为止，这是我想到的：

I've been doing a lot of research in the last few days on how to hide the plain passwords from node.conf; it's a new topic for me and this is what I came up with so far:



1. 使用<$ c $创建一个priv / pub密钥c> gpg2


2. 使用 pass （使用我先前生成的密钥）创建密码存储。


3. 将 node.conf 中的所有普通密码存储在该密码存储区中。


4. 用环境变量替换 node.conf 中的普通密码（例如 keyStorePassword = $ {KEY_PASS} ）



5. 创建一个脚本文件（例如 start_node.sh ），该脚本文件将执行以下操作：

1. Create a priv/pub key with gpg2
2. Create a password store with pass (using the key that I generated earlier).
3. Store all the plain passwords from node.conf inside that password store.
4. Replace the plain passwords in node.conf with environment variables (e.g. keyStorePassword = ${KEY_PASS})

5. Create a script file (e.g. start_node.sh) that will do the following:

a。将环境变量设置为密码存储中的密码之一： export key_store_password = $（通过node.conf / keyStorePassword）

b。启动节点： java -jar corda.jar

c。重新启动gpg代理以清除缓存的密码，否则您可以从商店中获取任何密码而无需通过密码： gpgconf --reload gpg-agent

a. Set an environment variable to one of the passwords from the password store: export key_store_password=$(pass node.conf/keyStorePassword)
b. Start the node: java -jar corda.jar
c. Restart the gpg agent to clear the cached passwords, otherwise you can get any password from the store without passing the passphrase: gpgconf --reload gpg-agent

优点：

1. 使用bash文件 start_node.sh 可以一次将许多密码设置为环境变量（例如keyStore，trustStore，db密码，RPC用户密码）


2. 因为我们使用 bash start_node.sh 而不是 source start_node.sh 运行bash文件，则环境变量不会暴露给父进程（即，您无法在运行bash的终端中读取该环境变量的值start_node.sh


3. 默认情况下，bash内部未启用历史记录命令

1. Using the bash file start_node.sh allows to set many passwords as environment variables at once (e.g. keyStore, trustStore, db passwords, RPC user password)
2. Since we are running the bash file with bash start_node.sh and not source start_node.sh, the environment variable is not exposed to the parent process (i.e. you cannot read that environment variable value inside the terminal where you ran bash start_node.sh
3. History commands are not enabled by default inside bash scripts.

缺点：

您不再具有在VM启动时自动启动的服务，因为 start_node.sh 脚本会要求您提供用于加密密码存储区中密码的gpg密钥的密码短语（即这是一个交互式脚本）。

You no longer can have a service that automatically starts on VM startup, because the start_node.sh script will ask for the passphrase for your gpg key that was used to encrypt the passwords inside the password store (i.e. it's an interactive script).

我把这个复杂化了吗？您有更简单的方法吗？甚至有必要隐藏普通密码吗？

Am I over-complicating this? Do you have an easier approach? Is it even necessary to hide the plain passwords?

我使用的是Corda开源软件，所以我不能使用Configuration Obfuscator（仅适用于Enterprise）： https://docs.corda.r3.com/tools-config-obfuscator.html#configuration-obfuscator （编辑）

I'm using Corda open source so I can't use the Configuration Obfuscator (which is for Enterprise only): https://docs.corda.r3.com/tools-config-obfuscator.html#configuration-obfuscator (edited)

推荐答案

我在这里写了一篇详细的文章： https://blog.b9lab.com/enabling-corda-security-with-nodes-configuration-file-412ce6a4371c ，其中涉及以下主题：

I wrote a detailed article here: https://blog.b9lab.com/enabling-corda-security-with-nodes-configuration-file-412ce6a4371c, which covers the following topics:

1. 启用SSL进行数据库连接。


2. 为RPC连接启用SSL。


3. 为Corda Web服务器启用SSL。


4. 为Corda独立shell启用SSL。


5. 隐藏纯文本密码。


6. 设置RPC用户的权限。

1. Enable SSL for database connection.
2. Enable SSL for RPC connection.
3. Enable SSL for Corda webserver.
4. Enable SSL for Corda standalone shell.
5. Hide plain text passwords.
6. Set permissions for RPC users.

这篇关于如何从node.conf隐藏敏感数据？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！