Hello, We have large application servers (written in C and C++), but also Perl and Java applications which all contact a Sybase database server over the network to do its work. They have to present a USER and a PASSWORD information to connect to the Sybase ASE listening on some port. As the USER and the PASSWORD are not entered by humans, at least not in the moment when the access of the application is made, they are stored in clear text in files in the UNIX (Linux, SunOS) file system. They are entered once, when the software is installed, or get modified with a text editor, when the credentials for whatever reason should be changed. Ofc, storing them in clear text was always a bad idea. Any person with access to the server and a bit of knowledge could read and misuse them, even for dropping the complete database or manipulating accountancy data.
We are looking for a way to change this situation and one of the options or ideas I have, is crypt the credentials with GnuPG in some file. Any application have to decrypt this file on the flight (perhaps with a shell command) to get the USER and PASSWORD into its environment variables or internal variables to make use of them to connect to the database server, and will forget the credentials again asap. Decrypting with GnuPG needs a passphrase, normally read from /dev/tty which can not be done here in this case. My idea here is to write a special 'pinentry' program which provides the passphrase, which is crypted itself with blowfish internally in the 'pinentry' program, and the 'pinentry' will only work, if the proc which is calling GnuPG send over a socket or a file some information to authorize the access to this special 'pinentry'. Any other and better ideas for this? Thanks in advance. matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ 📱 +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users