-
Notifications
You must be signed in to change notification settings - Fork 526
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Encryption for Sensitive Data #21
Comments
I think it's a good idea. However this opens a door: the use of Staticman for contact forms. Go ahead with that, but keep this on mind. |
You can take it even further. |
If this helps: You can use node-rsa module which is pure JS, no dependency on OpenSSL. |
Thanks, @zburgermeiszter, really appreciate it. I'm actually using that on the new version of the API, which I'm hoping to release in the next couple of weeks. |
How do you going to encrypt the config values? The first is more compact, and guarantee that the config key names are also encrypted in order to stop any snooping. On the other hand it is much easier to update single encrypted values give the freedom not to remember what key-value pairs has been encrypted as the key is plaintext. |
Encrypted config values will still go in the main config file just like regular values. Keys will be in plain text, so that the config file is still readable, but the documentation will flag that certain properties need to be encrypted. |
Not sure if you have met with this issue, but it seems the RSA public key encryptionis not suitable for encrypting long values. Sometimes I get the following error: I'll need to work a bit more on this idea. |
@zburgermeiszter This should be relatively easy to implement now that we have encryption for config files. What do you think? |
Few questions. Now it is 2 separate feature. One for encrypting form fields, and another for encrypting repo/path. How I would do this, is to reuse your config file transformation code, but instead of decrypting encrypted config values, it could check in the site config what submitted field to encrypt, and save to the comment yml. But encrypting or at least base64 encoding the repo/path would make sense, because then we would use a general process endpoint, and receive the git provider name (gitlab support) and the repo/branch names as a B64 encoded or RSA encrypted JSON wich is very flexible. Thanks |
The idea of encrypting repository and branch name is great. Say if one got a private repository for his website, it might be inappropriate to expose repo name and branch directly in the HTML form. Instead, we could do something like this: Let's say Alice got a repository named
Glad to hear any suggestions on the above workflow. :) |
Hey guys —
I think a great feature would be to have encryption of sensitive data. Since part of the joy of staticman is the ability to run a website through github, it could be very useful to be able to encrypt certain data coming in from html forms (eg. email addresses of commenters) before they hit github.
Would it be possible to specify a public encryption key in the config file and have staticman encrypt incoming data using the specified key before merging it on github? That way the data is simultaneously both accessible and safe.
Just an idea!! Awesome little service, Staticman.
-A
The text was updated successfully, but these errors were encountered: