Using gnupg to crypt credentials used by application to access a database server

[gnupg at raf.org]

Matthias Apitz wrote:

> Hello,
> 
> We have large application servers (written in C and C++), but also Perl
> and Java applications which all contact a Sybase database server over
> the network to do its work. They have to present a USER and a PASSWORD
> information to connect to the Sybase ASE listening on some port. As the USER
> and the PASSWORD are not entered by humans, at least not in the moment
> when the access of the application is made, they are stored in clear
> text in files in the UNIX (Linux, SunOS) file system. They are entered
> once, when the software is installed, or get modified with a text editor,
> when the credentials for whatever reason should be changed. Ofc, storing
> them in clear text was always a bad idea. Any person with access to the
> server and a bit of knowledge could read and misuse them, even for
> dropping the complete database or manipulating accountancy data.
> 
> We are looking for a way to change this situation and one of the options
> or ideas I have, is crypt the credentials with GnuPG in some file. Any
> application have to decrypt this file on the flight (perhaps with a shell
> command) to get the USER and PASSWORD into its environment variables or
> internal variables to make use of them to connect to the database
> server, and will forget the credentials again asap.
> 
> Decrypting with GnuPG needs a passphrase, normally read from /dev/tty
> which can not be done here in this case. My idea here is to write a
> special 'pinentry' program which provides the passphrase, which is crypted itself
> with blowfish internally in the 'pinentry' program, and the 'pinentry' will
> only work, if the proc which is calling GnuPG send over a socket or a
> file some information to authorize the access to this special 'pinentry'.
> 
> Any other and better ideas for this?
> 
> Thanks in advance.
> 
> 	matthias

investigate vault by hashicorp.