Using gnupg to crypt credentials used by application to access a database server

[Matthias Apitz]

Hello,

We have large application servers (written in C and C++), but also Perl
and Java applications which all contact a Sybase database server over
the network to do its work. They have to present a USER and a PASSWORD
information to connect to the Sybase ASE listening on some port. As the USER
and the PASSWORD are not entered by humans, at least not in the moment
when the access of the application is made, they are stored in clear
text in files in the UNIX (Linux, SunOS) file system. They are entered
once, when the software is installed, or get modified with a text editor,
when the credentials for whatever reason should be changed. Ofc, storing
them in clear text was always a bad idea. Any person with access to the
server and a bit of knowledge could read and misuse them, even for
dropping the complete database or manipulating accountancy data.

We are looking for a way to change this situation and one of the options
or ideas I have, is crypt the credentials with GnuPG in some file. Any
application have to decrypt this file on the flight (perhaps with a shell
command) to get the USER and PASSWORD into its environment variables or
internal variables to make use of them to connect to the database
server, and will forget the credentials again asap.

Decrypting with GnuPG needs a passphrase, normally read from /dev/tty
which can not be done here in this case. My idea here is to write a
special 'pinentry' program which provides the passphrase, which is crypted itself
with blowfish internally in the 'pinentry' program, and the 'pinentry' will
only work, if the proc which is calling GnuPG send over a socket or a
file some information to authorize the access to this special 'pinentry'.

Any other and better ideas for this?

Thanks in advance.

	matthias
-- 
Matthias Apitz, ✉ guru at unixarea.de, ⌂ http://www.unixarea.de/  📱 +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub