Re: [sqlalchemy] hiding/encrypting the Oracle database connection information?

2020-05-15 Thread Jonathan Vanasco
There are two related concerns on this concept:

* protecting your credentials in source code
* protecting your credentials on the server

For the first concern, I like to use encryption management tools like 
Blackbox (https://github.com/StackExchange/blackbox)

With an encryption management system, you "enroll" certain files to be 
managed by the system.  Instead of saving the plaintext files to version 
control, the encrypted files are saved.  Approved users (via GPG keys in 
blackbox) are able to decrypt or edit (decrypt+edit+encrypt) the files.  
**When a project is deployed to a server, the files are decrypted and the 
plaintext version is left on the server**

For the second concern, I've never seen a foolproof way to safeguard the 
plaintext "secrets".  You can force stuff into environment variables, but 
hackers can still get to those.  You can trash files after starting an 
application... but then you can't restart the application unless you have 
an external service that logs into the machine and 
decrypts/reloads/deletes.  

I would focus on safeguarding your secrets from versioncontrol, and 
constructing them in ways that are prepared for leaks (for example, 
rotating credentials periodically, using ip whitelisting to limit where 
they can be used, using ACLs on the various services to limit what each 
credential can do)

-- 
SQLAlchemy - 
The Python SQL Toolkit and Object Relational Mapper

http://www.sqlalchemy.org/

To post example code, please provide an MCVE: Minimal, Complete, and Verifiable 
Example.  See  http://stackoverflow.com/help/mcve for a full description.
--- 
You received this message because you are subscribed to the Google Groups 
"sqlalchemy" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to sqlalchemy+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/sqlalchemy/5c0f526f-299b-44bc-827e-1e0b41813586%40googlegroups.com.


Re: [sqlalchemy] hiding/encrypting the Oracle database connection information?

2020-05-15 Thread Mike Bayer
that issue is unfortunately one of the great mythological stories of business 
application development, how to configure an application such that the database 
credentials are not present in a config file where they can be viewed. 

the scope of that issue is way outside of SQLAlchemy and personally I don't 
think there is really any feasible solution to that problem - not that the 
credentials can't be encrypted, but it implies that there's a decryption key 
right nearby, which renders the whole situation basically security theater. 
Even if you have some super sophisticated remote-server kind of approach, if an 
attacker is on the machine where the software is, the Python code is right 
there; they can run whatever routines your Python code uses to get these 
credentials into memory and then they have them.

However, anyone that's worked in app dev for more than 5 years has had to deal 
with managerial teams that are trying to make it happen and perhaps theater is 
all you need. There's a good stackoverflow rundown of the full issue I found at 
https://security.stackexchange.com/a/22858 .


On Fri, May 15, 2020, at 12:30 PM, Terrence-Monroe: Brannon wrote:
> Hello, what is the recommended way to encrypt/hide the connection information 
> that SA will use to connect to an Oracle database?
> 
> Related gitter discussion - 
> https://gitter.im/sqlalchemy/community?at=5ebec23f20d9bf305768a247
> 
> 
> 

> --
>  SQLAlchemy - 
>  The Python SQL Toolkit and Object Relational Mapper
> 
> http://www.sqlalchemy.org/
> 
>  To post example code, please provide an MCVE: Minimal, Complete, and 
> Verifiable Example. See http://stackoverflow.com/help/mcve for a full 
> description.
>  --- 
>  You received this message because you are subscribed to the Google Groups 
> "sqlalchemy" group.
>  To unsubscribe from this group and stop receiving emails from it, send an 
> email to sqlalchemy+unsubscr...@googlegroups.com.
>  To view this discussion on the web visit 
> https://groups.google.com/d/msgid/sqlalchemy/95561686-5404-423a-9453-fd0625111423%40googlegroups.com
>  
> .

-- 
SQLAlchemy - 
The Python SQL Toolkit and Object Relational Mapper

http://www.sqlalchemy.org/

To post example code, please provide an MCVE: Minimal, Complete, and Verifiable 
Example.  See  http://stackoverflow.com/help/mcve for a full description.
--- 
You received this message because you are subscribed to the Google Groups 
"sqlalchemy" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to sqlalchemy+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/sqlalchemy/0775f8c2-4dde-45f9-b7af-a9b5b24f9bb1%40www.fastmail.com.