EnvironmentConfigurationObfuscation

A pluggable mechanism to (de)obfuscate configuration secrets in a lights out management environment.

This is not encryption, it is obfuscation only. An attacker with full access to the hoist machine could de-obfuscate the secret. If you need full FIPS-like secret protection , buy a HSM! (even then how will you protected the HSM pin!? For LOM it's a Catch 22 situation). There are solution (very expensive >$50k) to this problem, but for simple LOM obfuscation is the really the only thing you can offer. Its security theatre at best.

Can't say you haven't been warned.

Can use static machine entropy (mac addresses etc) or a remote file in a shared/clustered model. Does not require the use of a HSM or keystore, instead it recreates the entropy to decrypt the secret.

Extensions to this could include:

1. DP-API for Windows machines (but not in a VM scenario)
2. Keychain for Mac OS
3. External HSM

Example usage to obfuscate

String plain = "my string";

//Test PassphraseObfuscatorURL with local entropy file and algorithm overrides
Map<String, String> map = new java.util.HashMap<String, String>();
map.put(ObfuscatorInf.PWB_ALGORITM_HASH, "SHA-512");
map.put(ObfuscatorInf.PWB_ALGORITM_PBE,"PBEWithSHA1AndDESede");
map.put(ObfuscatorInf.PWB_URL, System.getProperty("user.home")+"/hoggmania.entropy");
map.put(ObfuscatorInf.PWB_IMPLEMENTATION, PassphraseObfuscatorURL.class.getName());

//To obfuscate the plain
String encryptedPropValue = ObfuscateSecretsHelper.obfuscatedSecretAndWrite(plain, map);

Example usage to obfuscate

//To de-obfuscate 
String plain-back = ObfuscateSecretsHelper.parseObfuscatedSecretAndDecrypt(encryptedPropValue));

Command Line Options

The are a few CLI tools that can be used, this utility is to obfuscate a secret,

These are the common the system options overrides (-D) available to all scripts: -

1. PWB_ALGORITM_PBE
2. PWB_ALGORITM_HASH
3. PWB_PROVIDER

Warning, these options must be used when decrypting the value as well.

The additional parameter is available for obfuscation only (as it's encode in the string) : - --PWB_IMPLEMENTATION

(De)Obfuscate values on the CLI & Java

ObfuscateSecret <value> <true/false true=obfuscate false=de-ofuscate>

(De)Obfuscate values in an XML file

ObfuscateSecretInXML <xml-file> <true/false true=obfuscate false=de-ofuscate> <xpath expression> <attribute name>

(De)Obfuscate values in an properties file

ObfuscateSecretsInProperties <property file> <true/false true=obfuscate false=de-ofuscate> <true/false true=comma-separated-values false=single value> <comma delimited keys to obfuscate (no spaces)>

How soon will my ticket be fixed?

The best way to have a bug fixed or feature request implemented is to to fork the repository and send a pull request. If the pull request is reasonable it has a good chance of making it into the next release. If you build the release yourself, even more chance!

If you don't fix the bug yourself, the bug might never get fixed. If it is a serious bug, other people than you might care enough to provide a fix.

In other words, there is no guarantee that a bug or feature request gets fixed. Tickets that are more than 6 months old are likely to be closed to keep the backlog manageable.