[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1322
  • Last Modified:

Encrypt password without storing the password in a file

I found some good solutions to encrypting passwords in Unix to login to an Oracle database, however, they all suggested storing the password in a secured directory.  I was told that the policy is not to store any passwords in a file at all.  How would I do this without doing that?  Is there a way to encrypt and decrypt a password during runtime???  Please help!!!!
0
psmall57
Asked:
psmall57
  • 4
  • 3
  • 2
1 Solution
 
ahoffmannCommented:
any password to be checked needs to be stored anywhere. In your case Oracle is the store and you can use it just out of your fingertips (without store).
So your question is abit vage about which "store" you mean, could you please explain.
0
 
chris_calabreseCommented:
This is a chicken and egg problem.

You can store the password in an encrypted file, but then you have to store the encryption key in another file.

You can encrypt the encryption key to protect it, but then you need to store the encryption key for the encryption key for another file.

The bottom line is either a) don't use passwords for this (I believe you can set Oracle to accept the Unix ID as the database ID), or b) tell the people telling you not to store the passwords that they don't know what they're talking about (but use nicer words...).
0
 
psmall57Author Commented:
I mean that I would Oracle is the store, however, I am playing by Unix (AIX) rules.  They want no passwords in files.  

Would I set up the encrypt key like this:

setenv key `key name`
crypt $key<encrypted_program_file_name> encrypt
crypt $key<encrypt> decrypt

I will write either another program, either shell, C, or perl to store the password in an array of some sort.  

How would I call the program from my shell scripts that contain the Oracle connection and sql programs.  Instead of the connect clauses, do I just put these encrypted file names like such:

connect username/$key@database

@query.sql
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
chris_calabreseCommented:
OK, now I'm even more confused then before.

What is the actual problem you are trying to solve?
0
 
ahoffmannCommented:
> connect username/$key@database

here $key has to contain the plain password (means whatever Oracle requires as "secret" here)

AFAIK there is no secrue way to login to Oracle except using your fingertips, anything else is unsecure by definition (see chris_calabrese's comment)
You suggestion using the secret in the shell environment makes it more unsecure.
0
 
psmall57Author Commented:
I have never encrypted a password before.  That is the main source of the problem and need to find how to login to the DB through my shell scripts without hardcoding in the password?  That is the MAIN problem.  Sorry to be so confusing.  Maybe, I am going about it wrong. I wrote a program in C obfuscated.  I guess I am going about this the wrong way.  I just have no other way to do this because I cannot put it in a file.  
0
 
chris_calabreseCommented:
You store the password in a file that only your shell scripts have permission to read.
Your shell scripts then read the password from the file and pass to sql (but not on the command-line, on stdin).
0
 
psmall57Author Commented:
Yeah, that is what I recommended the whole time before I even put this question online.

My policy states that I cannot even do that.

I guess my only way is to fight that and get an exception.  Thanks a lot.
0
 
chris_calabreseCommented:
There are non-password authentication mechanisms supproted by Oracle, and you could possibly use one of those.

One is "unix authentication" or "host authentication" or something like that. This is essentially where Oracle trusts that any client running as <user>@<server> is allowed to access some Oracle account.

Another is X.509 certificates. Of course, you still have to store the cert in a file and have your script read the file. You could password protect the cert, but........
0

Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

  • 4
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now