https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26790
--- Comment #23 from David Cook <dc...@prosentient.com.au> --- (In reply to Marcel de Rooy from comment #22) > Does this report include thinking about how we could secure more sensitive > data in our koha-conf file? Like DB password, encryption key, etc. Note e.g. > discussion on encryption keys in koha-conf on 34976. I hadn't thought of that specifically, but there's no reason we couldn't think about that too. I think that sensitive data in koha-conf.xml is fairly secure at the moment. Only root and the Koha instance user can read koha-conf.xml (at least with the Debian packages). But are you thinking of something more like "docker secret"? Or AWS Secrets Manager/HashiCorp Vault? Something where the secrets are encrypted at rest? I think the tough part with Koha is there are so many moving pieces. Lots of daemons, lots of cronjobs. All which need access to the secret/sensitive data, which gets more complicated if you have to deal with secret keepers running in a separate process, which need security of their own too. -- It could be interesting to build multiple ways to get secret/sensitive data. With "docker secret", maybe some way to say KOHA_CONF=/run/secrets/koha-conf.yml. Symlinks might also be workable here. I think secret keepers would be harder, but not impossible. -- Overall, this is probably a good place to be thinking about these things. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes. _______________________________________________ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
