Reply To: Protecting plain text credentials in config file

The standard in Linux is to leave credentials in plain text config files, and then protect the files using file permissions (owner/group/world).

However, we realize there are some cases where even the administrator should not be aware of certain credentials so HAast includes a “key chain” feature where HAast can store certain configuration values in an encrypted file (called a keychain). Once a key (comprised of a name and value) has been added to the keychain its value cannot be viewed by the user; it can only be referenced by its name.

To use a keychain entry in the config file replace the value with the key name prefixed with @. For example, if the config file contains:

[peerlink]
secret=”MySecretPassword”

It could be replaced with

[peerlink]
secret=@PeerLinkSecret

Next you should add the key to the keychain, holding the value you wish to keep hidden:

[root@qa121]# telnet localhost 3001
Connected to localhost.
Escape character is ‘^]’.
HAast telnet interface on ‘QA121’
HAast>keychain add PeerLinkSecret
Enter the key value exactly as you want it to be stored.
key value>MySecretPassword
The value associated with key name [PeerLinkSecret] has been set
HAast>

Then just restart the HAast service and your credentials will be protected by the keychain.