Sometime back we were arguing, intelligently, with thewormkill about how best one can share credentials using a VCS without fear of compromise. How best to write code that needs credentials , testing it, and still have no fear that you will accidentally push it to a version control system like git.
The discussion led to alot of intelligent points and i will discuss afew major ones i can remember:
When it comes to using passwords and username credentials in a script, like for database connections, RPC, emailing and other stuff, Using and environment variable to store it and then calling it from the script would be better and risk free that you might post it accidentally;
Add this to your
.bashrc or look for a windows equivalent:
export EvilzoneUsername='kenjoe41'; export EvilzonePassword='S0meon3F4ir198e'Then you can easily call this from a script with no fear:
import os
usernm = os.environ.get(' EvilzoneUsername')
password = os.environ.get('EvilzonePassword')
#do w/e you want with you pass hereYou can always set it on a new system you are going to us the script on and you are safe or get it from the commandline then store it in an env var and you are good to go. Heroku uses env var heavily:
https://devcenter.heroku.com/articles/config-varsNext risk about putting them in a script directly was easily getting on to VCS, and with the current GIT monitoring, this can get very detrimental. My google search brought me to this
discussion which inspired a very good article here:
https://gist.github.com/shadowhand/873637 Now this is all about creating an encrypted git repo, which if you experiment well, you could make a submodule in you repo and have only it encrypted while keeping the other repo parts unencrypted. With this, you work isn't encrypted while on your system but encrypted as specified and pushed to git. Quite convenient to have a submodule with passwords and other sensitive data and uploaded to git. Only someone with the passcode can decrypt it on there systems. Risks here are of the usual attacks on encryption, gets more secure the better you set it up.
Talking of PKI, i think i remember blackhat python having a good demonstration of it. Look at this and its parent script:
https://github.com/Eid010n/Python/blob/master/Black-Hat-Python/BHP-Code/Chapter9/ie_exfil.pyNow that git repo encryption was and might be in most cases overkill, so the guy that redid that article wrote a tool that if configured well, you can end up just encrypting one file, folder or whole repo if need be. Check it out:
https://github.com/shadowhand/git-encrypt Be sure to read the read me.
NOw when all shit goes to hell, or when you are designing and enterprise development architecture, you might consider password containers like Keepass, Truecrypt and others. Some of them have APIs hence they are heavily scriptable like keepass:
http://keepass.info/help/v1_sdk/annotated.htmlNow with all that being said, read up and give me your views...
