Securing Configuration Files#
Introduction#
By default passwords (e.g. the default password for Redis or MySQL) are configured in plain text in the configuration files. However we provide a mechanism so that this sensitive information can be encrypted. The encryption happens on installation of Squirro. There are three different ways to encrypt values in configuration files:
Encryption Methods#
There are three modes of encrypting Squirro configuration files:
Encryption key in a Unix environment variable
Encryption key stored in a file
Custom command for encrypting and decrypting
Environment Variable#
If you set the value of the environment variable SQ_ENCRYPTION_KEY to a valid encryption key, all encrypted configuration values will be decrypted on load. If this environment variable is set prior to installation of Squirro already, then all sensitive configuration values will be encrypted with this key and stored in an encrypted fashion in the INI files. You recognise such a value as it starts with CK_FERNET::. On usage of the value it will be decrypted automatically.
Generating Key#
Run the following commands in Python to generate a valid encryption key:
from cryptography.fernet import Fernet
key = Fernet.generate_key()
print(key.decode())
Key Stored in a File#
This is very similar to the previous approach but the encryption key is stored in a file instead of an environment variable. For this to work you set SQ_ENCRYPTION_KEY_FILE environment variable to the (absolute) path of a file containing nothing but the encryption key.
For how to generate a valid encryption key, see the previous section.
Custom Encryption#
If you want to provide your own encryption and decryption algorithms instead, you can set the two environment variables SQ_ENCRYPT_COMMAND and SQ_DECRYPT_COMMAND. They are called with the configuration section and the configuration key as program arguments and the value to en/decrypt is sent on stdin. The en/decrypted value is returned on stdout with an exit status 0.
An example invocation of this script:
$ echo "my password" | /usr/bin/my_decrypt mysql password
An example encryption and decryption script:
#!/bin/bash
cat /dev/stdin | rev
This just reverts the order of the password - which is obviously not safe for production at all.
The prefix for encrypted values in this case is: CK_CMD.
Configuration Values from Environment Variables#
Warning
This feature was introduced in version 3.11.3 and is currently experimental, so its syntax may change in the future.
When Squirro services are running inside a container, it is often useful to pass in configuration values as environment variables. Squirro supports this by allowing you to reference environment variables in the configuration files. To enable this feature, set the environment variable SQ_ENABLE_CK_ENV to any value.
If you wish for a configuration value to be the value of a certain environment variable, you can use the following syntax:
password = CK_ENV::SQ_EXAMPLE_ENV
This will replace the value of the password key with the value of the environment variable SQ_EXAMPLE_ENV.
Note
There is a non-mandatory convention to prefix the Squirro-related environment variables with SQ_ to avoid conflicts with other environment variables.
If the value of SQ_EXAMPLE_ENV is written in the a format like secretsfile:/tmp/mysecret.txt, the value used for the configuration will be read from the file /tmp/mysecret.txt.
password = CK_ENV::SQ_EXAMPLE_ENV||default:default_password
If the environment variable is not set, the value of default_password will be used.
password = CK_ENV::SQ_EXAMPLE_ENV||trim:22
If the environment variable is set, the value will be trimmed to 22 characters.
password = CK_ENV::SQ_EXAMPLE_ENV||rehash:random_salt
If the environment variable is set, the value will be hashed with the salt random_salt.
password = CK_ENV::secretsfile:/tmp/mysecret.txt
The value used for the configuration will be read from the file /tmp/mysecret.txt.
There is additionally a syntax that supports string formatting:
db = CK_ENV::SQ_SQL_URI||default:{0}://{1}:{2}@{3}:{4}/{5}||args:SQ_SQL_PROTOCOL,SQ_SQL_USER,SQ_SQL_PASSWORD,SQ_SQL_HOST,SQ_SQL_PORT,SQ_SQL_DATABASE
In this example, the value of the db key will be the formatted string of the values of the environment variables SQ_SQL_PROTOCOL, SQ_SQL_USER, SQ_SQL_PASSWORD, SQ_SQL_HOST, SQ_SQL_PORT, and SQ_SQL_DATABASE. Values that start with secretsfile: will be interpreted as file paths and the contents of the file will be used as the value, as if the value was written in the configuration file directly.
Precedence#
If multiple of these environment variables are configured, the following shows the precedence:
SQ_ENCRYPTION_KEYSQ_ENCRYPTION_KEY_FILESQ_ENCRYPT_COMMANDandSQ_DECRYPT_COMMANDSQ_ENABLE_CK_ENV
Encrypt#
To encrypt values, set the right environment variables before installing Squirro.
If you want to turn on encryption after the initial Squirro installation, run the following command:
python /opt/squirro/tools/secure-001-encrypt-config-files.py
The Squirro environment needs to be activated for this, as follows:
CentOS7 / RH7
source /opt/rh/rh-python36/enable;
source /opt/squirro/virtualenv3/bin/activate;
CentOS8 RH8
source /opt/squirro/virtualenv3/bin/activate;
Validate Encryption#
Only encoded passwords found in configuration files.
Validate Encryption
$ cd /etc/squirro
# should return nothing
$ grep -rn . -e $PLAIN_PASSWORD
# should return all encoded passwords
$ grep -rn . -e 'CK_FERNET'
./cluster.ini:14:password = CK_FERNET::gAAAAABhQz8...
./datasource.ini:15:redis_password = CK_FERNET::gAAAAABhQz8wb2pcLWhZmao6zt9UeR...
Starting Squirro#
To start Squirro after you have encrypted the configuration files, ensure that this environment variable are available for the daemons. You do this by adding them in to the following file: /etc/sysconfig/squirro.
The file contains commented out versions of these keys by default. Comment out the appropriate key and set the desired value.
# encrypt passwords using the following settings per
# https://go.squirro.com/securing-config
# SQ_ENCRYPTION_KEY=
# SQ_ENCRYPTION_KEY_FILE=
# SQ_DECRYPT_COMMAND=
# SQ_ENCRYPT_COMMAND=
|