Matthias Apitz wrote: > Hello, > > We have large application servers (written in C and C++), but also Perl > and Java applications which all contact a Sybase database server over > the network to do its work. They have to present a USER and a PASSWORD > information to connect to the Sybase ASE listening on some port. As the USER > and the PASSWORD are not entered by humans, at least not in the moment > when the access of the application is made, they are stored in clear > text in files in the UNIX (Linux, SunOS) file system. They are entered > once, when the software is installed, or get modified with a text editor, > when the credentials for whatever reason should be changed. Ofc, storing > them in clear text was always a bad idea. Any person with access to the > server and a bit of knowledge could read and misuse them, even for > dropping the complete database or manipulating accountancy data. > > We are looking for a way to change this situation and one of the options > or ideas I have, is crypt the credentials with GnuPG in some file. Any > application have to decrypt this file on the flight (perhaps with a shell > command) to get the USER and PASSWORD into its environment variables or > internal variables to make use of them to connect to the database > server, and will forget the credentials again asap. > > Decrypting with GnuPG needs a passphrase, normally read from /dev/tty > which can not be done here in this case. My idea here is to write a > special 'pinentry' program which provides the passphrase, which is crypted > itself > with blowfish internally in the 'pinentry' program, and the 'pinentry' will > only work, if the proc which is calling GnuPG send over a socket or a > file some information to authorize the access to this special 'pinentry'. > > Any other and better ideas for this? > > Thanks in advance. > > matthias
investigate vault by hashicorp. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
