处理生产配置密码自动部署 [英] Handling passwords in production config for automated deployment
问题描述
我看到这里的相关问题,但他们似乎没有要回答正是我需要的。
I have seen related questions here, but they don't seem to be answering exactly what I need.
我们使用PowerShell脚本来部署我们的应用程序和信息就像在配置文件中的口令对于大多数的环境下(UATs等)都是纯文本格式。这不是一个大问题,但是当涉及到PREPROD和PROD,这是一个大问题。因此,我们不得不在配置一些标记,如{{PROMT密码}},这会给一个登录对话框( GET-凭据),并在部署可以进入人凭据和部署仍在继续。
We use Powershell scripts to deploy our applications and the info like passwords in configuration files for most of the environments ( UATs etc. ) are in plain text. It is not a big issue, but when it comes to PREPROD and PROD, it is a big issue. So we had some markers in the config like "{{promt-password}}" which will give a login dialog (Get-Credential) and the person doing the deployment can enter the credential and the deployment continues.
但是,这并不能真正帮助自动部署(即一键通过像TeamCity的工具部署)
But this doesn't really help for automated deployment ( meaning one-click deploy through tools like TeamCity )
我应该去非对称加密( http://msdn.microsoft.com /en-us/library/as0w18af.aspx )其中的密码是使用公钥加密,在配置进入和私人密钥存储(如这里所描述的http://msdn.microsoft.com/en-us/library/tswxhw92.aspx )中的代理人(如在一个虚拟机从那里的TeamCity将触发部署并已限制访问)运行自动化部署,它可以解密密码?没有真正的密码与sttuf强,但这种声音喜欢的方式去?任何其他建议? ?人们如何处理这样的自动化部署
Should I go for Asymmetric encryption ( http://msdn.microsoft.com/en-us/library/as0w18af.aspx ) where the password is encrypted using a public key, entered in the config, and private key is stored (as described here http://msdn.microsoft.com/en-us/library/tswxhw92.aspx ) in the "agent" ( as in a VM from where TeamCity will trigger the deployment and which has restricted access ) running the automated deployment and it can decrypt the password? Not really strong on Cryptography and sttuf, but does this sound like the way to go? Any other suggestions? How do people handle such automated deployment?
更新:
好吧,我已经取得了进展,并付诸实施。我写它使用Crypography库控制台应用程序在C#。该应用程序生成密钥:
Ok, I have gone ahead and implemented it. I have written a Console Application in C# which uses the Crypography libraries. The app generates the keys:
RSACryptoServiceProvider rsa = GetRsa(containerName);
File.WriteAllText("keys.kez",rsa.ToXmlString(true));
我也得到了公共密钥:
I also get out the public key:
File.WriteAllText("public.pke", rsa.ToXmlString(false));
给公共密钥的人谁对密码进行加密,并要求他们在输入密码配置。把keys.kez文件中有运行部署的任何代理。
Give the public key to anyone who has to encrypt the password and ask them to enter the password in the config. Put the keys.kez file in any agent that has to run the deployment.
推荐答案
非对称加密肯定是从安全和简单的角度来看这里的赢家。我已经以这种方式生产部署SaaS应用得非常成功。
Asymmetric encryption is definitely the winner here from a security and simplicity standpoint. I have deployed production SaaS apps in this manner very successfully.
有一些技巧。一,正如你所说,确保公共/私有密钥对安装在主机上,而不是存储在配置文件或代码。二,承担起微软提供的管理和密钥生成工具是弱到可怕的和相应的计划(我们创建了一个简单的exe凯基为业务部署过程中运行。)
There are a few tricks. One, as you mentioned, make sure the public/private key pair is installed on the host, not stored in config files or in the code. Two, assume the management and key generation tools provided by MS are weak to terrible and plan accordingly (we created a simple keygen exe for Operations to run during deploy.)
这篇关于处理生产配置密码自动部署的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
