Encryption of the main.ini file

philipp.meierhofer · March 3, 2022, 3:28pm

Hi Squirro team,

Great to see the new forum I would have a question regarding the main.ini file encryption - I have read the encryption section on the documentation and would like to follow-up on the the out-of-the-box encryption service:

beside the config files in the /etc/squirro folder I’d also like to encrypt the main.ini file located in the config folder to have no more plaintext environment passwords within the instance. Is this also supported by the service or does this need to be specifically added/configured (and if yes, could you advice how this would be best done)?
alternative to the file encryption would also be the encryption of the plain text values (I think that was done at a client, but not sure anymore how).

Thanks,
Philipp

Lauren · March 3, 2022, 3:47pm

Welcome Philipp! Great to see you here!

sciurus_vulgaris · March 3, 2022, 5:25pm

Welcome @philipp.meierhofer! Thanks for your question regarding encryption of the main.ini file.

If as a partner you have access to the Squirro delivery repository you can find a README.md file in the same config directory where the main.ini file will be located with instructions on how to do this.

For reference, I have copied these instructions below.

Encrypted Configuration

For encryption of the main.ini file the same facility is supported as for the Squirro platform itself. See the online documentation for Securing your Configuration Files.

If the variables have been defined in /etc/sysconfig/squirro , then the main.ini file here is decrypted with the exact same options. If you don’t want to change that file, you can instead use ~/.squirro/sysconfig or expose the environment variables manually by any other means.

Encrypting Values

To encrypt config values, use the provided encrypt utility. Example usage:

$ export SQ_ENCRYPTION_KEY=cqZbZlmzPqhjJzMB2Lc_pa_s0VGzzSsv1SSyOoQvw8k=
$ ./common/config/encrypt squirro token
Config value: 5634…6779
The value has been encrypted as:
CK_FERNET::gAAA…C7E2…

This resulting string ( CK_FERNET::… ) can now be stored manually in the config file as the value for the config setting:

[squirro]
token = CK_FERNET::gAAA…C7E2…
…

Manually Encrypting

If you provide your own SQ_DECRYPT_COMMAND you can also set SQ_ENCRYPT_COMMAND and use the encrypt utility as shown above.

If you want to encrypt manually, then take the encrypted value, prefix it with CK_CMD:: and put it into the config file. Example:

[squirro]
token = CK_CMD::7VHcxRG4FddlZDHqeY9IltV5jWebbo…

philipp.meierhofer · March 4, 2022, 10:09am

Hi @Lauren, @sciurus_vulgaris,

Thanks a lot for the warm welcome, the quick reply and the provided details, happy to give it a try and will let you know how that works!

Thanks,
Philipp

Topic		Replies	Views
Help running cli Training with Squirro	3	395	August 22, 2023
Data Load error - Job ID Hashing The Insight Engine	4	759	March 4, 2022
Adding proxies for squirro frontend data loader The Insight Engine squirro , data-loader	4	906	March 10, 2022
Field Level Security in Squirro The Insight Engine	2	687	May 16, 2022
Retrieve results to Python environment	3	526	May 17, 2023

Encryption of the main.ini file

Encrypted Configuration

Encrypting Values

Manually Encrypting

Related Topics