Hide passwords in ENV vars in dashboard

security
support
raspberrypi3
docker

#1

I’m using resin to deploy my project.
Among other things, I store several passwords/secret keys as env vars in the dashboard of my resin account.
My worry is that someday, in this account a support guy might have access and I want to hide the values of these passwords/keys from him. I don’t want to let those credentials so visible, but at the same time I still want to save them in env vars.
I know that I can also create env vars from the Dockerfile, but let’s not consider this option for now.

My question: Is there any best practice in resin to achieve what I described above, or somehow to encrypt those secret credentials and not to write them as plain text in dashboard?


#2

Hi dbeqiraj,

Our support team only has access to your project if you explicitly grant permission for them to do so – that said it is entirely possible to encrypt your passwords and keys.

The implementation details will vary between languages and environments, but in general terms there are two ways of doing so, one would be to use a private key file, or a password which you include in your project’s code to decrypt the passwords / keys.

You can try that out on the command line using:
echo -n "aaaabbbbccccdddd" | openssl enc -e -aes-256-cbc -a -salt
… enter a password twice…
echo "..output string from above.." | openssl enc -d -aes-256-cbc -a -salt
… enter password you used…

And you should see the decrypted input string again.

So to implement this in your project, you would encode the passwords and keys using a similar method, and decode them using the openssl APIs in the language you’re using for your project