Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Encrypted Service Password #352

Open
safiuddinr opened this issue Jul 9, 2024 · 3 comments
Open

Encrypted Service Password #352

safiuddinr opened this issue Jul 9, 2024 · 3 comments
Assignees
@mreeve-snl
Labels
Points: 8 Story Point (4 days)
Milestone
LME 2.0

Comments

@safiuddinr
Copy link
Collaborator

safiuddinr commented Jul 9, 2024
edited by mreeve-snl
Loading

Here we need to ensure passwords are encrypted at rest

for this we'll be using a combination of ansible-vault and podman-secrets

utilizing an shell driver for the podman secret: https://docs.podman.io/en/latest/markdown/podman-secret-create.1.html
@mreeve-snl mreeve-snl added the Points: 8 Story Point (4 days) label Jul 25, 2024
@safiuddinr safiuddinr added this to the LME 2.0 milestone Aug 6, 2024
@mreeve-snl
Copy link
Collaborator

so theres probably a few fancier ways we can do this, but this honestly seems the simplest....
We setup the ansible password and the way to access it via environment variables:

set_password_script:

#!/bin/bash
read -s -p "ANSIBLE_VAULT_PASSWORD:" LME_ANSIBLE_VAULT_PASS
export LME_ANSIBLE_VAULT_PASS=$LME_ANSIBLE_VAULT_PASS

#TODO: add checks for these filepaths existing
#set password file ansible-vault variable
export ANSIBLE_VAULT_PASSWORD_FILE=/opt/lme/config/vault-pass.sh

This sets up the password as an environment variable AND the vault file variable, so ansible-vault knows where to pull the vault file.

We can now store any given lme-user and lme-service-user password in the following directory paths:

. set_password_script.sh
USER_X=elastic
bash -c "read -s "$USER_X"; echo $"$USER_X" > /opt/lme/vault/$USER_X; ansible-vault encrypt /opt/lme/vault/$USER_X"

we'll probably need to make sure we back this up somehow so people can recover, but I think this seems pretty smooth

@mreeve-snl
Copy link
Collaborator

so using that as a baseline, I think this should work with podman secrets:

[secrets]
driver = "shell"

[secrets.opts]
list = "ls /opt/lme/vault/"
lookup = "ansible-vault view /opt/lme/vault/$SECRET_ID"
store = "cat > /opt/lme/vault/$SECRET_ID; ansible-vault encrypt /opt/lme/vault/$SECRET_ID"
delete = "rm /opt/lme/vault/$SECRET_ID"

to store and update passwords as needed... now we just have to automate this

@mreeve-snl
Copy link
Collaborator

I think for this task we'll also want to add a "security/threat model" for LME, so its clear what sort of attacks we care about for this.

From what I'm thinking, the master password shouldn't be able to be accessed if any LME service is compromised. To mitigate this, I think we should store the master password in a seperate user space from the lme services.

Therefore, if we have lme.service run as a different user (i.e. lme), we can have lme.service be a quadlet under the regular user, that spawns all the other quadlets as the lme user...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mreeve-snl mreeve-snl

Labels
Points: 8 Story Point (4 days)
Projects
LME-Development
Status: 🏗 In Progress
Milestone
LME 2.0
Development

When branches are created from issues, their pull requests are automatically linked.

mreeve-352-vault-user-password-encryption cisagov/LME
2 participants
@mreeve-snl @safiuddinr