We help IT Professionals succeed at work.

Proper way to handle encrypted passwords in deployment process.

Blowfelt82 asked
I have an encrypted data file which stores credentials for an environment - these credentials are used as part of an automated scripted deployment solution. Basically a process runs a number of scripts/installers to configure a windows environment, if one of these scripts/applications needs a password a 'middle-man' application is called with an 'action' parameter which will then call the target application directly and pass in the decrypted username/password pairs.

The idea behind this is the 'middle-man' application will be the only tool capable of decrypting the password and will then be only to run a defined set of commands using these passwords. By defining the exact commands that can be run and passed a secure parameter I can ensure no passwords are logged and that the "middle-man" application cannot be used in an improper way...

Hopefully that makes sense... The question here is - is there a better way of doing this, it seems like a very over-engineered solution which requires rewrites of the "middle-man" application every time a new action is needed in the installation process which requires a password?

Any ideas appreciated.
Watch Question

Freelance programmer / Consultant
A possible alternative would be that the 'middle man' app does everything from an encrypted script.
In other words you create a script with all the commands and necessary login info.  The app reads this the script, decrypts it and performs the actions, passing username/password when supplied in the script.

If you need to modify anything then just create a new script, encrypt it and pass that to whoever needs it
Top Expert 2016
Perhaps you could use the standard encryption/decryption using a public and private key-pair

your app would have the public key of each receiver and encrypts the scripts to pass to the receivers by using the corresponding public key. then the app sends the encrypted script to the receiver. the receiver receives the encrypted script and decrypts it using its private key. then the script could be performed at the receiver's computer.

Top Expert 2016

There was no response but the Author asked for 'ideas' which were given by both the comments.