How to protect a plain text credentials file with the username and password

automountingmountSecurity

I am trying to setup an auto-mounting network drive. The network drive requires a user/pass. In the man page for "mount.cifs" there are two ways to provide the user/pass.

[not recommended] put the user/pass in /etc/fstab
create a separate credentials file and put the user/pass in the credentials file

"[option 2] is preferred over having passwords in plaintext in a shared file, such as /etc/fstab. Be sure to protect any credentials file properly."

My background is: software developer, lots of linux software development (installing development libraries, installing applications like Eclipse, or java). I am not an IT or sysadmin guy.
This is on my own development machine

Given my lack of IT/sysadmin background, what is the standard suggested method for "protecting any credentials file properly"?

(I would also appreciate, if there are multiple methods for protecting the credentials file, to please list in order of most common to least and describe the tradeoffs.)

Best Answer

It looks like the man page snippets you quoted refer to the basic level of security that standard file ownership and permissions provide. The configuration file /etc/fstab is readable by any user on the system. A safer place to store sensitive information would be a file with permissions allowing to be read only by the owner. I understand that in your case, the user would be root.

Let's say you put the file in /etc/ and name it cifs-cred (create and edit it as root). Then you'd use

chmod 600 /etc/cifs-cred

That will assure only the owner (which should be root) will have access to the contents. Otherwise, if such setup did not allow proper working of your system setup, it could mean the file should be accessible to some special system user. In that case, you might need to try

chmod 660 /etc/cifs-cred

or something like

chown root:wheel /etc/cifs-cred
chmod 660 /etc/cifs-cred

-- depending on what *nix flavor your system is and the system daemons' configuration.

Other than that, if the system can be under any risk of being compromised, you should never trust unencrypted passwords. Depending solely on file permissions is rather naive - the file contents are protected only against minor security breaches.

Related Solutions

Mount cifs using a credentials file

I had a similar issue. For me installing cifs-utils fixed the issue.

Avoiding plain-text password in http_proxy

Using base64 is useless, it's just a simple transformation. Using encryption with a key that's stored alongside the encrypted data is also useless because it's still just a simple transformation. If you're worried about someone getting access to your configuration files, then you need to encrypt with a key that isn't in your configuration files, and that means you'll have to type a password¹ when you log in.

Rather than make your own, use an existing encryption mechanism.

On Linux, if you go with file encryption, encrypt your home directory with eCryptfs, or encrypt the whole disk with Linux's disk encryption layer (dm-crypt, cryptsetup command), or create a small per-file encrypted filesystem with encfs. In the latter case, have a script that mounts the encfs filesystem and then runs a script stored there.

On Windows, put the file on a TrueCrypt/VeraCrypt.

Alternatively, use a password manager (set a master password, of course). Gnome's password manager (gnome-keyring) can be queried from the command line with the secret-tool utility. Seahorse provides a convenient GUI for exploring and modifying the keyring and setting a master password.

secret-tool store --label='Corporate web proxy password' purpose http_proxy location work.example.com

export http_proxy="http://cman:$(secret-tool lookup purpose http_proxy location work.example.com)@192.0.2.3/"

This required D-Bus, which is normally available by default under Linux (most modern desktop environments require it) but needs to be started manually under Cygwin (I don't know exactly how).

¹ _{or otherwise supply secret material, e.g. stored on a smartcard.}

Best Answer

Related Solutions

Mount cifs using a credentials file

Avoiding plain-text password in http_proxy

Related Question