Once, a colleague accidentally uploaded the project code to Github, resulting in the use of a clear email account password in the code, for which both the company and individuals paid a heavy price. So what about sensitive information in your code? This article will briefly introduce our practical methods.
Achieve the goal
- Encrypt sensitive information in codes, such as email account passwords, database account passwords, and third-party verification keys
- For production use of the original password and other information should be as little as possible, for example, the database password should be known only by the DBA
Information encryption
There are two common types of information encryption:
The first type requires no decryption: System login password encryption, for example, through the encryption algorithm for the user to enter the password stored encrypted in the database, the user login again still get the same encryption algorithm for the user to enter the password encryption, the encrypted and stored in the database results compare result, don’t need to know the whole process of the user to enter the original password is what, MD5 is the most common encryption algorithm for this type of encryption
The second type needs to be decrypted: For example in the project we write code to connect to the database account password, project code stored in cipher way, when you need to connect to the database, to decrypt the cipher to, to get the original unencrypted password to connect to the database, unlike MD5 one-way encryption, the encryption can need to decrypt the encrypted cryptograph, Currently, RSA is the most common encryption algorithm
RSA encryption algorithm is used to encrypt sensitive information in configuration files. RSA encryption algorithm is used to encrypt sensitive information in configuration files. RSA encryption algorithm is used to encrypt sensitive information.
- The encryption algorithm needs to generate a pair of RSA keys, namely a public key and a private key
- Encrypt the password with the public key to obtain the encrypted string Configuration In the project code, when the original password needs to be used, decrypt the encrypted string with the private key to obtain the original password
Note a problem here, get the private key can decrypt the encrypted string, then the secret key certainly can not be put in the project code, otherwise in the case of code to Github can be decrypted with the secret key, lost the meaning of encryption. Here, our strategy is that the secret key is managed by operation and maintenance, placed directly in the production server, and the secret key can be read by configuring the path in the project agent, so as to avoid the leakage of the secret key due to code leakage.
RSA Encryption and decryption Python script. You can directly use this script to generate an RSA secret pair, encrypt passwords, or decrypt RSA keys. You can also use the OpenSSL tool to perform this operation
import binascii
from Cryptodome.PublicKey import RSA
from Cryptodome.Cipher import PKCS1_v1_5
class RsaCrypto():
' ''RSA encryption and decryption '' '
def create_rsa_key(self):
' ''Generate an RSA key pair'' '
try:
key = RSA.generate(2048)
encrypted_key = key.exportKey(pkcs=8)
public_key = key.publickey().exportKey().decode('utf-8')
private_key = encrypted_key.decode('utf-8')
return {'state': 1, 'message': {'public_key': public_key, 'private_key': private_key}}
except Exception as err:
return {'state': 0.'message': str(err)}
def encrypt(self, public_key, plaintext):
' ''Encryption method'' '
try:
recipient_key = RSA.import_key(public_key)
cipher_rsa = PKCS1_v1_5.new(recipient_key)
en_data = cipher_rsa.encrypt(plaintext.encode('utf-8'))
hex_data = binascii.hexlify(en_data).decode('utf-8')
return {'state': 1, 'message': hex_data}
except Exception as err:
return {'state': 0.'message': str(err)}
def decrypt(self, private_key, hex_data):
' ''Decryption method'' '
try:
private_key = RSA.import_key(private_key)
cipher_rsa = PKCS1_v1_5.new(private_key)
en_data = binascii.unhexlify(hex_data.encode('utf-8'))
data = cipher_rsa.decrypt(en_data, None).decode('utf-8')
return {'state': 1, 'message': data}
except Exception as err:
return {'state': 0.'message': str(err)}
if __name__ == '__main__':
print(RsaCrypto().create_rsa_key())
Copy the code
Process control
Take database password management as an example to introduce our process
- O&m generates an RSA key pair through the encryption system and puts the key pair on the production server to inform the development of the storage path of the secret key on the server, which is written in the project code configuration file by the development
- DBA creates the database account password, encrypts the password through the secret key generated in the previous operation and maintenance step, and writes the encrypted string to the developer in the project code configuration file
The secret key is separated from the code, so that in the whole process, development, operation and maintenance can not access the database password, each role gets enough information and the least, reduce the possibility of errors or leaks
In the above process, we have implemented the function of generating the secret key pair and encrypting the password through the secret key on the Web side, which is convenient for operation and maintenance and DBA operation. The interface is as follows:
The above interface is the operation and maintenance interface, where you can generate, view, and download secret keys
You can select the secret key and encrypt the password to generate encrypted ciphertext
The two interfaces are divided according to permissions. Ops can only see the first interface and DBA can only see the second interface
Write in the last
- Putting your company code on Github should never, ever happen
- Everyone can make mistakes. Trust your partner but also optimize your process to reduce human error and minimize risk
- These processes are still not problem-free, and everyone should be in awe of their job, maintain a good work ethic, and stay out of line
If you find this article helpful to you, please share it with more people. If you’re not enjoying your reading, read the following:
- DevOps operation automation tool system platform
- Details of landing configuration center for small and medium-sized teams
- Small and medium-sized teams quickly build SQL automatic audit systems