I am providing my solution in the form of a java project, including the source (not just a compiled program).
There's no particular security concern here, since the whole product and my project (which does some additional stuff
with the product), as well as the infrastructure it's deployed on, will be made public for anyone to use.
Still, I think I should protect as much data as I can, and when things become public, we can look into un-protecting
anything we want.
Also, from a personal point of view, I am fascinated by the opportunity to do things this way. Definitely useful for
The source makes use of some protected files and information:
- p12 keystore files (I need to deliver those with my solution)
- keystore passwords
- passwords to private keys inside the keystores
I am already aware of Hashicorp Vault and have used that successfully, but I don't think we deploy this into our
platforms and my needs are much more simple.
What I am currently doing:
And this already provides pretty decent
protection: All keystores are protected with the same password, which is
given to users via a secure channel and hopefully they don't stick a post-it note with it on their screen!
However, I am still not happy:
- Passwords to Private keys that are inside the protected keystores are hard-coded in an enum
- I am going to have a lot of keystores, private keys, etc...
- I am also thinking about issuing different passwords to users, to enable some form of repudiation
I want to avoid: -Dexecpass=myPassword -Dprvkpass1=myPrvKpass1, -Dpkrvpass2=myPrvKpass2, ...
I was thinking something like an encrypted file with all the passwords and ONE -Dexecpass=... will open everything.
What are some simple ways to write some java code that decrypts a file that I can distribute freely?