Dears,
It’s a very impressive GITEA and I’m impressed.
However, there is one thing that is regrettable about security.
The database password of the app.ini file is exposed as it is.
I wish there was a way to encrypt the database password.
I wonder if you have any good ideas.
Best Regards.
Why do you need that? Maybe it’s unnecessary?
You can’t. If you did, a decryption key would be needed for the software to start up, and unless you wanted to input that by hand every time you started Gitea, you’d have to store it in a file… and then you’re back in the same situation.
Who is going to see the contents of your app.ini file?
Thank you for your comment.
It is a security policy within our organization.
Database access information (especially passwords) in all configuration files should be encrypted to make them unidentifiable directly.
Our security officer always advises and monitors.
So we encrypt most of the passwords in the file.
You’re right.
Encrypting passwords cannot be complete security,
We are based on spring framework for most application development.
Encrypt/decrypt files using Jsaypt.
ex) spring:
datasource:
sql-script-encoding: UTF-8
driver-class-name: org.mariadb.jdbc.Driver
url: ENC(fAcHYhDi1oSaAF8FcAEDQ==)
username: ENC(fncHYmDe8oSFAFV8FcAEDQ==)
password: ENC(Aqh1BctIkm9uBNolQ5xlSg==)
public class JasyptConfig {
public StringEncryptor stringEncryptor() {
PooledPBEStringEncryptor encryptor = new PooledPBEStringEncryptor();
SimpleStringPBEConfig config = new SimpleStringPBEConfig();
config.setPassword("test");
config.setAlgorithm("PBEWithMD5AndDES");
config.setKeyObtentionIterations("1000");
config.setPoolSize("1");
config.setProviderName("SunJCE");
config.setSaltGeneratorClassName("org.jasypt.salt.RandomSaltGenerator");
config.setStringOutputType("base64");
encryptor.setConfig(config);
return encryptor;
}
}
So how do you decrypt them when the services are started?