Great to see the new forum I would have a question regarding the main.ini file encryption - I have read the encryption section on the documentation and would like to follow-up on the the out-of-the-box encryption service:
beside the config files in the /etc/squirro folder I’d also like to encrypt the main.ini file located in the config folder to have no more plaintext environment passwords within the instance. Is this also supported by the service or does this need to be specifically added/configured (and if yes, could you advice how this would be best done)?
alternative to the file encryption would also be the encryption of the plain text values (I think that was done at a client, but not sure anymore how).
For reference, I have copied these instructions below.
Encrypted Configuration
For encryption of the main.ini file the same facility is supported as for the Squirro platform itself. See the online documentation for Securing your Configuration Files.
If the variables have been defined in /etc/sysconfig/squirro , then the main.ini file here is decrypted with the exact same options. If you don’t want to change that file, you can instead use ~/.squirro/sysconfig or expose the environment variables manually by any other means.
Encrypting Values
To encrypt config values, use the provided encrypt utility. Example usage:
$ export SQ_ENCRYPTION_KEY=cqZbZlmzPqhjJzMB2Lc_pa_s0VGzzSsv1SSyOoQvw8k=
$ ./common/config/encrypt squirro token
Config value: 5634…6779
The value has been encrypted as:
CK_FERNET::gAAA…C7E2…
This resulting string ( CK_FERNET::… ) can now be stored manually in the config file as the value for the config setting:
[squirro]
token = CK_FERNET::gAAA…C7E2…
…
Manually Encrypting
If you provide your own SQ_DECRYPT_COMMAND you can also set SQ_ENCRYPT_COMMAND and use the encrypt utility as shown above.
If you want to encrypt manually, then take the encrypted value, prefix it with CK_CMD:: and put it into the config file. Example: