如何在 Windows 和 Linux 上正确存储 .NET Core 非交互式应用程序凭据? [英] How to store .NET Core non-interactive app credentials properly on both Windows and Linux?

问题描述

我需要为我的应用存储凭据.我读过将它们与代码一起存储是一种非常糟糕的做法.

I need to store credentials for my app. I've read it's a very bad practice to store them with code.

我知道，DPAPI 就是为它而生的，但是如何在像 Ubuntu 这样的 Linux 上使用它?所以 - 如果我可以让 DPAPI 在 Linux 上运行而无需花费一整天的时间 - 这将是我的第一选择.

I know, DPAPI is just made for it, but how to use it on Linux like Ubuntu? So - if I could make DPAPI work on Linux without spending whole day on it - it would be my first choice.

然后是穷人的安全 - 目标机器上的文件.所以 - 与源无关 ;) 该文件位于只有管理员可以访问的目录中，因此它与主机本身一样安全.我也可以在我的 Windows 开发机器上拥有该文件，它和我的机器一样安全.

Then it's poor man's security - a file on target machine. So - not with the source ;) The file is in a directory only the admin can access, so it's as secure as the host itself. I can also have the file on my Windows development machine, it's as secure as my machine.

告诉我为什么文件是坏的?;)

Tell me why the file is bad? ;)

推荐答案

我需要为我的应用存储凭据.

I need to store credentials for my app.

嗯嗯.

我读过将它们与代码一起存储是一种非常糟糕的做法.

I've read it's a very bad practice to store them with code.

不是with code"，而是in代码:即作为字符串文字嵌入到您的可执行文件中.

Not "with code", but in code: i.e. as string literals baked into your executable.

我知道，DPAPI 就是为此而生的

I know, DPAPI is just made for it

是的.

但是如何在像 Ubuntu 这样的 Linux 上使用它?

but how to use it on Linux like Ubuntu?

有困难.

所以 - 如果我可以让 DPAPI 在 Linux 上运行而无需花费一整天的时间 - 这将是我的第一选择.

So - if I could make DPAPI work on Linux without spending whole day on it - it would be my first choice.

你不能.DPAPI 是一个 Windows thang.

You can't. DPAPI is a Windows thang.

然后是穷人的安全 - 目标机器上的文件.所以 - 不是来源

Then it's poor man's security - a file on target machine. So - not with the source

至少在 Linux 上，您可以利用简单得多的文件系统安全模型来保护文件不被其他用户访问而无需太多努力(即 chmod，与Windows，您需要在其中使用 DACL(警告:DACL 在客观上仍然远远优于 chmod.考虑使用 SELinux 在 Windows 之外获取 DACL).

At least on Linux you can take advantage of the far simpler filesystem security model to secure files from access by other users without too much effort (i.e. chmod, compared to Windows where you need to faff around with DACLs (caveat: DACLs are still objectively far,far superior to chmod. Consider using SELinux to get DACLs outside of Windows).

该文件位于只有管理员可以访问的目录中，因此它与主机本身一样安全.

The file is in a directory only the admin can access, so it's as secure as the host itself.

值得商榷.

告诉我为什么文件是坏的?;)

Tell me why the file is bad? ;)

我不能.您没有告诉我们有关该文件的任何信息.

I can't. You haven't told us anything about the file.

更好的解决方案:利用任何可用的硬件 TPM 来存储加密密钥:https://wiki.archlinux.org/index.php/Trusted_Platform_Module

Better solution: take advantage of any available hardware TPM to store encryption keys: https://wiki.archlinux.org/index.php/Trusted_Platform_Module

这篇关于如何在 Windows 和 Linux 上正确存储 .NET Core 非交互式应用程序凭据?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！