Proper way to handle encrypted passwords in deployment process.

I have an encrypted data file which stores credentials for an environment - these credentials are used as part of an automated scripted deployment solution. Basically a process runs a number of scripts/installers to configure a windows environment, if one of these scripts/applications needs a password a 'middle-man' application is called with an 'action' parameter which will then call the target application directly and pass in the decrypted username/password pairs.

The idea behind this is the 'middle-man' application will be the only tool capable of decrypting the password and will then be only to run a defined set of commands using these passwords. By defining the exact commands that can be run and passed a secure parameter I can ensure no passwords are logged and that the "middle-man" application cannot be used in an improper way...

Hopefully that makes sense... The question here is - is there a better way of doing this, it seems like a very over-engineered solution which requires rewrites of the "middle-man" application every time a new action is needed in the installation process which requires a password?

Any ideas appreciated.
Blowfelt82Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

AndyAinscowFreelance programmer / ConsultantCommented:
A possible alternative would be that the 'middle man' app does everything from an encrypted script.
In other words you create a script with all the commands and necessary login info.  The app reads this the script, decrypts it and performs the actions, passing username/password when supplied in the script.

If you need to modify anything then just create a new script, encrypt it and pass that to whoever needs it
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sarabandeCommented:
Perhaps you could use the standard encryption/decryption using a public and private key-pair
.

your app would have the public key of each receiver and encrypts the scripts to pass to the receivers by using the corresponding public key. then the app sends the encrypted script to the receiver. the receiver receives the encrypted script and decrypts it using its private key. then the script could be performed at the receiver's computer.

Sara
0
sarabandeCommented:
There was no response but the Author asked for 'ideas' which were given by both the comments.

Sara
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Installation

From novice to tech pro — start learning today.