You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Right now if the key is password protected, the following fails:
echo"hello"| sym -d -k mykey
Because it attempts to read the password from STDIN, which is hijacked by the data stream.
Additionally, in the deployed environment, it would be super nice if sym was able to read the password from somewhere secure, and apply it to the key in, say, environment variable.
Possible solutions:
support $SYM_KEY_PASSWORD environment variable for reading in key password if needed
on each host install a random key that's used to encrypt/decrypt the password of the actual key. Say, sym installs its default set of random passwords in application's root, in ./.sym/meta. This file would look like this:
Then, given any password sym can md5 the password, convert to binary, and take the last (or first) eight bits — these bits would point to the row in the metafile containing the key. So now we can determine the key based on the md5 of the actual password. We give sym a real password and tell it to encrypt it with the meta key, and store it in ./.sym/config. But we write two things in that file: last 8 bits of the md5 concatenated with the encrypted password.
To restore this, sym will read the config file, grab the first 8 bytes, based on that determine the key, and decrypt the stored value. The result will be the password used to decrypt the actual key used for data decryption. This method bypasses having to provide the password interactively via a somewhat convoluted scheme.
The text was updated successfully, but these errors were encountered:
Right now if the key is password protected, the following fails:
Because it attempts to read the password from STDIN, which is hijacked by the data stream.
Additionally, in the deployed environment, it would be super nice if
sym
was able to read the password from somewhere secure, and apply it to the key in, say, environment variable.Possible solutions:
$SYM_KEY_PASSWORD
environment variable for reading in key password if needed./.sym/meta
. This file would look like this:with the total of 128 keys installed.
Then, given any password
sym
can md5 the password, convert to binary, and take the last (or first) eight bits — these bits would point to the row in the metafile containing the key. So now we can determine the key based on the md5 of the actual password. We give sym a real password and tell it to encrypt it with the meta key, and store it in./.sym/config
. But we write two things in that file:last 8 bits of the md5
concatenated with the encrypted password.To restore this,
sym
will read the config file, grab the first 8 bytes, based on that determine the key, and decrypt the stored value. The result will be the password used to decrypt the actual key used for data decryption. This method bypasses having to provide the password interactively via a somewhat convoluted scheme.The text was updated successfully, but these errors were encountered: