Encryption of the main.ini file

Hi Squirro team,

Great to see the new forum :slight_smile: I would have a question regarding the main.ini file encryption - I have read the encryption section on the documentation and would like to follow-up on the the out-of-the-box encryption service:

  • beside the config files in the /etc/squirro folder I’d also like to encrypt the main.ini file located in the config folder to have no more plaintext environment passwords within the instance. Is this also supported by the service or does this need to be specifically added/configured (and if yes, could you advice how this would be best done)?
  • alternative to the file encryption would also be the encryption of the plain text values (I think that was done at a client, but not sure anymore how).



Welcome Philipp! Great to see you here!

1 Like

Welcome @philipp.meierhofer! Thanks for your question regarding encryption of the main.ini file.

If as a partner you have access to the Squirro delivery repository you can find a README.md file in the same config directory where the main.ini file will be located with instructions on how to do this.

For reference, I have copied these instructions below.

Encrypted Configuration

For encryption of the main.ini file the same facility is supported as for the Squirro platform itself. See the online documentation for Securing your Configuration Files.

If the variables have been defined in /etc/sysconfig/squirro , then the main.ini file here is decrypted with the exact same options. If you don’t want to change that file, you can instead use ~/.squirro/sysconfig or expose the environment variables manually by any other means.

Encrypting Values

To encrypt config values, use the provided encrypt utility. Example usage:

$ export SQ_ENCRYPTION_KEY=cqZbZlmzPqhjJzMB2Lc_pa_s0VGzzSsv1SSyOoQvw8k=
$ ./common/config/encrypt squirro token
Config value: 5634…6779
The value has been encrypted as:

This resulting string ( CK_FERNET::… ) can now be stored manually in the config file as the value for the config setting:

token = CK_FERNET::gAAA…C7E2…

Manually Encrypting

If you provide your own SQ_DECRYPT_COMMAND you can also set SQ_ENCRYPT_COMMAND and use the encrypt utility as shown above.

If you want to encrypt manually, then take the encrypted value, prefix it with CK_CMD:: and put it into the config file. Example:

token = CK_CMD::7VHcxRG4FddlZDHqeY9IltV5jWebbo…
1 Like

Hi @Lauren, @sciurus_vulgaris,

Thanks a lot for the warm welcome, the quick reply and the provided details, happy to give it a try and will let you know how that works!