未加星标

Encrypt your defaults-file

字体大小 | |
[数据库(mysql) 所属分类 数据库(mysql) | 发布者 店小二05 | 时间 2016 | 作者 红领巾 ] 0人收藏点击收藏

Encrypt your  defaults-file
Encrypt your credentials using GPG

This blog post will look how to use encryption to secure your database credentials.

In the recent blog post Use mysql Shell Securely from Bash ,there are some good examples of how you might avoid using a ~/.my.cnf but you still need to put that password down on disk in the script. MySQL 5.6.6 and later introduced the login-path option, which is a handy way to store per-connection entries and keep the credentials in an encrypted format. This is a great improvement, but as shown in Get MySQL Passwords in Plain Text from .mylogin.cnf , it is pretty easy to get that information back out.

Let’s fix this with gpg-agent , mkfifo and a few servings of Bash foo…

If you wantto keep prying eyes away from your super secret database credentials, then you really need to encrypt it. Nowadays most people arefamiliar with GPG ( GNU Privacy Guard ), but for those of you that aren’tit is a free implementation of the OpenPGP standard thatallows you to encrypt and sign your data and communication.

First steps…

Before we can go on to use GPG to encrypt our credentials, we need to getit working. GnuPG comes with almost every *nix operating system, but for this post we’ll be using Ubuntu 16.04 LTS and we’ll presume that it isn’t yet installed.

$ sudoapt-get installgnupggnupg-agentpinentry-curses

Once the packages are installed, there is a little configuration required to make things simpler. We’ll go with some minimal settings just to get you going. First of all, we’ll create our main key:

$ gpg --gen-key gpg (GnuPG) 1.4.12; Copyright (C) 2012 FreeSoftwareFoundation, Inc. This is freesoftware: youarefreeto changeand redistributeit. Thereis NOWARRANTY, to theextentpermittedbylaw. Pleaseselectwhat kindofkeyyouwant: (1) RSAand RSA (default) (2) DSAand Elgamal (3) DSA (signonly) (4) RSA (signonly) Yourselection? 1 RSAkeysmaybebetween 1024 and 4096 bitslong. What keysizedo youwant? (4096) Requestedkeysizeis 4096 bits Pleasespecifyhowlong thekeyshouldbevalid. 0 = keydoesnot expire <n> = keyexpiresin n days <n>w = keyexpiresin n weeks <n>m = keyexpiresin n months <n>y = keyexpiresin n years Keyis validfor? (5y) Keyexpiresat Tue 05 Oct 2021 23:59:00 BST Is this correct? (y/N) y Youneed a userID to identifyyourkey; thesoftwareconstructstheuserID fromtheRealName, Commentand EmailAddressin this form: "Heinrich Heine (Der Dichter) <[email protected]>" Realname: CeriWilliams Emailaddress: [email protected] Comment: Encryptedcredentialsfor MySQL Youselectedthis USER-ID: "Ceri Williams (Encrypted credentials for MySQL) <[email protected]>" Change (N)ame, (C)omment, (E)mailor (O)kay/(Q)uit? O Youneed a Passphraseto protectyoursecretkey.

After typing a password and gaining sufficient entropy you will have your first key! You can show your private keys as follows:

$ gpg --list-secret-keys /home/ceri/.gnupg/secring.gpg ----------------------------- sec 4096R/C38C02B0 2016-10-06 [expires: 2021-10-05] uidCeriWilliams (Encryptedcredentialsfor MySQL) <[email protected]>

We’ll now create our “gpg.conf” in which to keep a few settings. This setsthe key that is used by default when encrypting, enables the gpg-agent and removes the copyright message.

$ cat <<EOF > ~/.gnupg/gpg.conf default-keyC38C02B0 use-agent no-greeting EOF

Now we’ll add a few settings for “gpg-agent” and allow the key to be saved for oneday to reduce the number of times you need to enter a password. Also, as this post concentrates on command line programs, we’ve enabled the ncurses pinentry to specify the password when requested.

$ cat <<EOF > ~/.gnupg/gpg-agent.conf pinentry-program /usr/bin/pinentry-curses default-cache-ttl 86400 max-cache-ttl 86400 EOF

You can find more information about setting up and using GPG in the GNU Privacy Handbook .

Encrypt your credentials

If all has gone well so far, you should be able to encrypt your first message. Here is a simple example to create armored (ASCII) output for a recipient with key “C38C02B0”:

$ echo hello | gpg -e --armor -r C38C02B0 -----BEGINPGPMESSAGE----- Version: GnuPGv1 hQIMA/T3pqGixN5nAQ/+IxmmgoHNVY2IXp7OAQUZZtCw0ayZu/rFotsJBiQcNG4W J9JZmG78fgPfyF2FD4oVsXDBW7yDzfDSxCcX7LL9z4p33bzUAYOwofRP9+8qJGq/ qob1SclNN4fdFc/PtI7XKYBFYcHlfFeTIH44w9GEGdZlyfDfej+qGTJX+UHrKTo3 DaE2qpb7GvohEnDPX5WM0Pts3cATi3PcH4C9OZ5dgYizmlPB58R2DZl1ioERy2jE WSIhkZ8ZPW9ezWYDCtFbgFSpgynzYeFRVv1rel8cxZCSYgHOHrUgQM6WdtVFmEjL ONaRiEA9IcXZXDXaeFezKr2F8PJyaVfmheZDdRTdw54e4R6kPunDeWtD2aCJE4EF ztyWLgQZ0wNE8UY0PepSu5p0FAENk08xd9xNMCSiCuwmBAorafaO9Q8EnJjHS/w5 aKLJzNzad+8zKq3zgBxHGj1liHmx873Epz5izsH/lK9Jwy6H5qGVB71XuNuRMzNr ghgHFWNX7Wy8wnBnV6MrenASgtCUY6cGdT7YpPe6pLr8Qj/3QRLdzHDlMi9gGxoS 26emhTi8sIUzQRtQxFKKXyZ43sldtRewHE/k4/ZRXz5N6ST2cSFAcsMyjScS4p2a JvPvHt4xhn8uRhgiauqd7IqCCSWFrAR4J50AdARmVeucWsbRzIJIEnKW4G/XikvS QQFOvcdalGWKMpH+mRBkHRjbOgGpB0GeRbuKzhdDvVT+EhhIOG8DphumgI0yDyTo Ote5sANgTRpr0KunJPgz5pER =HsSu -----END PGPMESSAGE-----

Now that we have GPG working, we can secure our credentials and encrypt them to use later on. One of the default files MySQL reads is “~/.my.cnf”, which is where you can store your user credentials for easy command line access.

$ cat <<EOF | gpg --encrypt --armor -r C38C02B0 -o ~/.my.cnf.asc [client] user = ceri password = mysecretpassword [mysql] skip-auto-rehash prompt = "smysql d> " EOF

There you go,everything is nice and secure! But wait, how cananything use this?

Bash foo brings MySQL data to you

Most MySQL and Percona tools will accept the “ defaults-file” argument, which tells the program where to look to find whatconfiguration to run. This will allow us touse our encrypted config.

The following script carriesout the following actions:

Creates a temporary file on disk and then removes it Creates a FIFO (a socket-like communication channel that requires both ends to be connected) Decrypts the config to the FIFO in the background Launches the “mysql” client and reads from the FIFO #!/bin/bash set -e declare -raARGS=( "${@}" ) declare -riARGV=${#ARGS[@]} declare -r SEC_MYCNF=$(test -f ${1:-undef} && echo $_ || echo '.my.cnf.asc') declare -r SEC_FIFO=$(mktemp) declare -a PASSTHRU=( "${ARGS[@]}" ) test ${ARGV} -gt 0 && test -f "${ARGS[0]}" && PASSTHRU=( "${ARGS[@]:1}" ) set -u function cleanup { test -e ${SEC_FIFO} && rm -f $_ return $? } function decrypt { set +e $(whichgpg) --batch --yes -o ${SEC_FIFO} -d ${SEC_MYCNF} >debug.log 2>&1 test $? -eq 0 || $(whichgpg) --yes -o ${SEC_FIFO} -d ${SEC_MYCNF} >debug.log 2>&1 set -e } function exec_cmd { local -r cmd=${1} set +u ${cmd} --defaults-file=${SEC_FIFO} "${PASSTHRU[@]}" set -u } trap cleanup EXIT test -e ${SEC_MYCNF} || exit 1 cleanup &amp

本文数据库(mysql)相关术语:navicat for mysql mysql workbench mysql数据库 mysql 存储过程 mysql安装图解 mysql教程 mysql 管理工具

主题: SQLMySQLUbuntuSAGECUQMUHUATJXInc.
分页:12
转载请注明
本文标题:Encrypt your defaults-file
本站链接:http://www.codesec.net/view/483012.html
分享请点击:


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 数据库(mysql) | 评论(0) | 阅读(35)