Differences
This shows you the differences between the selected revisions of the page.
| guide_protecting_credentials_for_automation 2023-03-11 | guide_protecting_credentials_for_automation 2024-04-22 (current) | ||
| Line 5: | Line 5: | ||
| * The script/code may often need to be accessible on the production system for review or auditing purposes or reuse, while the credentials should not. | * The script/code may often need to be accessible on the production system for review or auditing purposes or reuse, while the credentials should not. | ||
| - | There is no way to store passwords in script in an encrypted way. In general, it is not possible to encrypt any kind of information in a way that still allows for its use in an automatic way. If WinSCP should be able to decrypt the information, anyone can. | + | There is no way to store passwords in script in an encrypted way. In general, it is not possible to encrypt any kind of information in a way that still allows for its use in an automatic way. If WinSCP should be able to decrypt the information, anyone can.((For a real encryption, one needs to use a key. And the key needs to be stored somewhere again. It's the chicken or the egg problem.)) |
| Solution is to separate the credentials from the script/code into a configuration file. While the script/code without explicit credentials can be safely stored into a revision system and be otherwise accessible, the configuration file should be protected as much as possible. Particularly its file permissions should be restricted only to administrators (for writing) and user under which the script/code runs (for reading). The configuration file can also be encrypted, for example with [[wp>Encrypting_File_System|built-in NTFS filesystem-level encryption]]. | Solution is to separate the credentials from the script/code into a configuration file. While the script/code without explicit credentials can be safely stored into a revision system and be otherwise accessible, the configuration file should be protected as much as possible. Particularly its file permissions should be restricted only to administrators (for writing) and user under which the script/code runs (for reading). The configuration file can also be encrypted, for example with [[wp>Encrypting_File_System|built-in NTFS filesystem-level encryption]]. | ||
| Line 29: | Line 29: | ||
| </code> | </code> | ||
| ---- | ---- | ||
| - | Another way is to store the password to a separate file and use [m]-passwordsfromfiles[/m] (&beta_feature): | + | Another way is to store the password to a separate file and use [[scriptcommand_open#passwordsfromfiles|''-passwordsfromfiles'']]: |
| <code winscp> | <code winscp> | ||
| open -password=C:\path\password.txt -passwordsfromfiles sftp://username@example.com/ | open -password=C:\path\password.txt -passwordsfromfiles sftp://username@example.com/ | ||