You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As a user I would like to save my credentials in an encrypted format so that they are not available in plain text.
Tech Limitations:
Normal password management would mean only saving a salted hash of the credentials and/or having dedicated and revokable API keys for interacting with 3rd party services. However, since neither Garmin nor Peloton provide an official api, we must store the users original credentials long term.
Options:
One time setup - User provides credentials
Any time P2G is started and detects that no credentials have been provided via config, P2G will prompt the user via command line to enter all the missing credentials
These credentials will then be encrypted by P2G (probably using triple des) and saved back to the config file for future use
Pros:
Simple implementation
Easy to change the password for the user
Cons:
P2G source code provides all the necessary details to decrypt the password. A compromised system will not reveal any plain text credentials, but a targeted attack could still decrypt the values in the config file.
HashiCorp Vault
Require users to run a self hosted Vault (source or docker)
Users can setup an AppRole id and necessary credentials
Users provide the AppRoleId to P2G in the config file
P2G uses the AppRoleId to authenticate with Vault and fetch the credentials
Is recommended for development env only, not for production use
Docker Secrets
User sets up and configures docker secrets and provides those secrets to the P2G container
P2G consumes the secretes
Pros
native
Cons
Requires all users to use Docker
Docker secrets only supported on Docker Swarm env
Thoughts:
Personally, I am leaning towards option 1, the most basic one. This will significantly improve the security of the credentials with minimal effort.
Long term, I am interested in implementing HashiCorp Vault support, but primarily as a learning exercise, I'm not sure many people would choose to take advantage of it beyond myself.
The text was updated successfully, but these errors were encountered:
As a user I would like to save my credentials in an encrypted format so that they are not available in plain text.
Tech Limitations:
Options:
Thoughts:
The text was updated successfully, but these errors were encountered: