Forum: Ruby on Rails encrypting the database password

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
62c27f2d03d7d056a53ef5b32d792cba?d=identicon&s=25 Marshall Levin (mlevin)
on 2005-12-01 23:23
Hi,

I swear I've searched the Wiki, FAQs, mailing lists, etc., but I can't
seem to find an answer to this.

I'm proposing using RoR for an admin app that by all accounts would be a
perfect candidate for this technology... but our operations staff is
nervous about the fact that the database password is stored in clear
text. They point out that in Weblogic (which is what they want us to
use), the password is encrypted.

Is there any way to make RoR use an encrypted password? This seems like
a pretty important consideration if RoR is going to be used in secure
production environments.

Thanks
01d7a451018ac15518f425078ef00c40?d=identicon&s=25 sitharus-rails (Guest)
on 2005-12-01 23:32
(Received via mailing list)
On 2/12/2005, at 11:23 AM, Marshall Levin wrote:

> I'm proposing using RoR for an admin app that by all accounts would
> be a
> perfect candidate for this technology... but our operations staff is
> nervous about the fact that the database password is stored in clear
> text. They point out that in Weblogic (which is what they want us to
> use), the password is encrypted.

Think for a second. If the password is encrypted it must get
decrypted at some point. If it can be decrypted and someone breaks in
to your system do you really think you stand a gnat's chance in hell
of keeping the password out of the hands of the attacker? You're
better off making sure database.yml is readable only to the Rails
user, and make that user different from the web server's user.
FastCGI is great at that.

In short, yes it can be done. It can be done easily. But it offers no
extra security. Once a machine is compromised you must assume that
all data on it has been taken, things like this only help clueless
administrators keep their head in the clouds.

--
Phillip Hutchings
WebGenius Programmer
phillip@webgenius.co.nz
821395fe70906c8290df7f18ac4ac6cf?d=identicon&s=25 technoweenie (Guest)
on 2005-12-01 23:36
(Received via mailing list)
> a pretty important consideration if RoR is going to be used in secure
> production environments.
>
> Thanks

How would you encrypt it without having the secret password on the
system with it? What good would that do besides providing a layer of
obscurity?

I actually did this kind of thing in ASP.Net w/ the Data Protection
API.  It's basically a pki system built in to windows (for EFS) where
the server and each user has their own private key.  Though, I'm not
sure what it did for my app besides making it a PITA to change the
password :)

--
rick
http://techno-weenie.net
F48118fe74b0c7f6fd82a0ee422fa34e?d=identicon&s=25 snacktime (Guest)
on 2005-12-02 00:12
(Received via mailing list)
On 12/1/05, Marshall Levin <mlevin@meadhall.com> wrote:
>
> Is there any way to make RoR use an encrypted password? This seems like
> a pretty important consideration if RoR is going to be used in secure
> production environments.
>

I'm sure you are going to get a lot of answers on this...

I really don't know how weblogic encrypts the password.  Is it really
encrypting it a way that is offering real protection, or is it just
illusory?  Where is the encryption key stored?
With the way that rails works, encrypting the database password gets
you very little.  In fact encrypting the database password gets you
very little no matter what platform you are using.  If  your system
really needs to be secure then you need to approach the problem from
an in depth approach.  Otherwise don't put sensitive information
online to begin with.

I know that's not what most operations types might like to hear, but
it's what they should be told.

Chris
62c27f2d03d7d056a53ef5b32d792cba?d=identicon&s=25 Marshall Levin (mlevin)
on 2005-12-02 00:39
snacktime wrote:
> I really don't know how weblogic encrypts the password.  Is it really
> encrypting it a way that is offering real protection, or is it just
> illusory?  Where is the encryption key stored?

Weblogic encrypts the string using 3DES and its encryption key is hidden
somewhere inside the beast. I'm not entirely sure where. I just know
that it has its own encryption tool (see
http://e-docs.bea.com/wls/docs90/admin_ref/utils.h...) that uses
a mysterious "encryption service."

I realize that this is *somewhat* illusory -- it's better than having it
in plain text, but yes, if the app server is compromised, the database
isn't far behind.

Incidentally, my company specializes in putting sensitive information
online.
821395fe70906c8290df7f18ac4ac6cf?d=identicon&s=25 technoweenie (Guest)
on 2005-12-02 01:09
(Received via mailing list)
> Incidentally, my company specializes in putting sensitive information
> online.

I think I smell a plugin...

--
rick
http://techno-weenie.net
F48118fe74b0c7f6fd82a0ee422fa34e?d=identicon&s=25 snacktime (Guest)
on 2005-12-02 01:21
(Received via mailing list)
On 12/1/05, Marshall Levin <mlevin@meadhall.com> wrote:
>
> I realize that this is *somewhat* illusory -- it's better than having it
> in plain text, but yes, if the app server is compromised, the database
> isn't far behind.
>

> Incidentally, my company specializes in putting sensitive information
> online.

A halfway decent checklist for securing web applications is the CISP
auditing checklist from the Visa site.  It's pretty basic and I'd
argue with a few of it's methods, but it covers enough ground to be
useful.

Chris
2dd904ec5981c31e7bb7a5743a53caf8?d=identicon&s=25 Bruce Balmer (brucebalmer)
on 2005-12-02 01:57
(Received via mailing list)
I may not understand your question but is the password not stored in
MySQL and not rails?  If so, I know that MySQL can encrypt passwords
and I think that is the default arrangement on 5.0   Rails can work
with that.

bruce
2dd904ec5981c31e7bb7a5743a53caf8?d=identicon&s=25 Bruce Balmer (brucebalmer)
on 2005-12-02 01:57
(Received via mailing list)
Well, that was a much better answer than mine.  I regret having
answered now (and I think I did miss your point).  Perhaps Phillip
Hutchins is a "webgenius programmer"

bruce balmer
not webgenius programmer
01d7a451018ac15518f425078ef00c40?d=identicon&s=25 sitharus-rails (Guest)
on 2005-12-02 02:06
(Received via mailing list)
On 2/12/2005, at 1:56 PM, Bruce Balmer wrote:

> Well, that was a much better answer than mine.  I regret having
> answered now (and I think I did miss your point).  Perhaps Phillip
> Hutchins is a "webgenius programmer"

Hah, doubt it. That's just the company I work for, my mail client
defaults to that signature.

I still stand by my assertion that an encrypted password offers no
benefits over clear text when you're facing a determined attacker,
and for a 'casual' break in file permissions will be better. Just
make sure the user that the application runs as doesn't have any
login capabilities.

--
Phillip Hutchings
phillip.hutchings@sitharus.com
Fa389a84648d5b88e94bc1918dbe6234?d=identicon&s=25 twa (Guest)
on 2005-12-11 11:34
(Received via mailing list)
One aspect of RoR database login and password management is that, I am
willing to bet in most sites, the developers know the database login and
password that RoR uses.  This is a violation of Sarbanes Oxley rules
that many of will have to address sooner rather than later (and, in
theory, you can go to prison for not being duely diligent about it).
This topic is locked and can not be replied to.