如何从node.conf隐藏敏感数据? [英] How to hide sensitive data from node.conf?
问题描述
有人可以给我举一个在下面提到的 corporatePasswordStore
的例子:
https://docs.corda.net/node-administration.html?fbclid=IwAR0gRwe5BtcWO0NymZVyE7_yMfthu2xxnU832vZHdbuv17S-wPXgb7iVZSs#id2
Can someone please give me an example for corporatePasswordStore
that is mentioned here:
https://docs.corda.net/node-administration.html?fbclid=IwAR0gRwe5BtcWO0NymZVyE7_yMfthu2xxnU832vZHdbuv17S-wPXgb7iVZSs#id2
最近几天,我一直在做很多有关如何从 node.conf $ c隐藏普通密码的研究。 $ c>;这对我来说是个新话题,到目前为止,这是我想到的:
I've been doing a lot of research in the last few days on how to hide the plain passwords from node.conf
; it's a new topic for me and this is what I came up with so far:
- 使用<$ c $创建一个priv / pub密钥c> gpg2
- 使用
pass
(使用我先前生成的密钥)创建密码存储。 - 将
node.conf
中的所有普通密码存储在该密码存储区中。 - 用环境变量替换
node.conf
中的普通密码(例如keyStorePassword = $ {KEY_PASS}
) -
创建一个脚本文件(例如
start_node.sh
),该脚本文件将执行以下操作:
- Create a priv/pub key with
gpg2
- Create a password store with
pass
(using the key that I generated earlier). - Store all the plain passwords from
node.conf
inside that password store. - Replace the plain passwords in
node.conf
with environment variables (e.g.keyStorePassword = ${KEY_PASS}
) Create a script file (e.g.
start_node.sh
) that will do the following:
a。将环境变量设置为密码存储中的密码之一: export key_store_password = $(通过node.conf / keyStorePassword)
b。启动节点: java -jar corda.jar
c。重新启动gpg代理以清除缓存的密码,否则您可以从商店中获取任何密码而无需通过密码: gpgconf --reload gpg-agent
a. Set an environment variable to one of the passwords from the password store: export key_store_password=$(pass node.conf/keyStorePassword)
b. Start the node: java -jar corda.jar
c. Restart the gpg agent to clear the cached passwords, otherwise you can get any password from the store without passing the passphrase: gpgconf --reload gpg-agent
优点:
- 使用bash文件
start_node.sh
可以一次将许多密码设置为环境变量(例如keyStore,trustStore,db密码,RPC用户密码) - 因为我们使用
bash start_node.sh
而不是source start_node.sh
运行bash文件,则环境变量不会暴露给父进程(即,您无法在运行bash的终端中读取该环境变量的值start_node.sh - 默认情况下,bash内部未启用历史记录命令
- Using the bash file
start_node.sh
allows to set many passwords as environment variables at once (e.g. keyStore, trustStore, db passwords, RPC user password) - Since we are running the bash file with
bash start_node.sh
and notsource start_node.sh
, the environment variable is not exposed to the parent process (i.e. you cannot read that environment variable value inside the terminal where you ran bash start_node.sh - History commands are not enabled by default inside bash scripts.
缺点:
您不再具有在VM启动时自动启动的服务,因为 start_node.sh
脚本会要求您提供用于加密密码存储区中密码的gpg密钥的密码短语(即这是一个交互式脚本)。
You no longer can have a service that automatically starts on VM startup, because the start_node.sh
script will ask for the passphrase for your gpg key that was used to encrypt the passwords inside the password store (i.e. it's an interactive script).
我把这个复杂化了吗?您有更简单的方法吗?甚至有必要隐藏普通密码吗?
Am I over-complicating this? Do you have an easier approach? Is it even necessary to hide the plain passwords?
我使用的是Corda开源软件,所以我不能使用Configuration Obfuscator(仅适用于Enterprise): https://docs.corda.r3.com/tools-config-obfuscator.html#configuration-obfuscator (编辑)
I'm using Corda open source so I can't use the Configuration Obfuscator (which is for Enterprise only): https://docs.corda.r3.com/tools-config-obfuscator.html#configuration-obfuscator (edited)
推荐答案
我在这里写了一篇详细的文章: https://blog.b9lab.com/enabling-corda-security-with-nodes-configuration-file-412ce6a4371c ,其中涉及以下主题:
I wrote a detailed article here: https://blog.b9lab.com/enabling-corda-security-with-nodes-configuration-file-412ce6a4371c, which covers the following topics:
- 启用SSL进行数据库连接。
- 为RPC连接启用SSL。
- 为Corda Web服务器启用SSL。
- 为Corda独立shell启用SSL。
- 隐藏纯文本密码。
- 设置RPC用户的权限。
- Enable SSL for database connection.
- Enable SSL for RPC connection.
- Enable SSL for Corda webserver.
- Enable SSL for Corda standalone shell.
- Hide plain text passwords.
- Set permissions for RPC users.
这篇关于如何从node.conf隐藏敏感数据?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!