Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 7 Next »

By default passwords (e.g. the default password for redis or mysql) are configured in plain text in the configuration files. However we provide a mechanism so that this sensitive information can be encrypted. The encryption happens on installation of squirro. There are three different ways to encrypt values in configuration files:

Default encryption, key stored in environment variable

If you set the value of the environment variable 'SQ_ENCRYPTION_KEY' to a valid encryption key, all encrypted config values will be decrypted on load. If this environment variable is set PRIOR to installation of squirro already, then all sensitive configuration values will be encrypted with this key and stored in an encrypted fashion in the .ini files. You recognise such a value as it starts with 'CK_FERNEL::'. On usage of the value it will be decrypted automatically.

How to generate a valid encryption key

Run the following commands in python:

from cryptography.fernet import Fernet
key = Fernet.generate_key()
print key


Default encryption, key stored in a file

This is very similar to the previous approach but the encryption key is in a file instead of an environment variable. For this to work you set the value of the env variable 'SQ_ENCRYPTION_KEY_FILE' to the (absolute) path of a file containing nothing but the encryption key.

For how to generate a valid encryption key, see the previous section.

Custom encryption

If you want to provide your own encryption and decryption algorithms instead, you can set the two environment variables 'SQ_ENCRYPT_COMMAND' and 'SQ_DECRYPT_COMMAND'. They are called with the configuration section and the configuration key as program arguments and the value to en/decrypt is sent on stdin. The en/decrypted value is returned on stdout with an exit status 0. Example:

$ echo "my password" | /usr/bin/my_decrypt mysql password

Example of a dummy en/decrypt script:

#!/bin/bash
cat /dev/stdin | rev

This just reverts the order of the password (not safe for production at all).

Similar to the two approaches above, if these env variables are set before/while you are installing squirro, the sensitive configuration values get encrypted during installation. The prefix for encrypted values in this case is: 'CK_CMD'.


For all three cases you are of course free to only encrypt some values after installation or add/change additional encrypted values later. Encrypted and non-encrypted values can be mixed within one configuration file.

If multiple of these env variables are configured, the following shows the precedence:

  1. SQ_ENCRYPTION_KEY
  2. SQ_ENCRYPTION_KEY_FILE
  3. SQ_ENCRYPT_COMMAND and SQ_DECRYPT_COMMAND
  • No labels