Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Questions: Damonizing and encrypting with Abscissa #340

Open
JRAndreassen opened this issue Aug 19, 2020 · 3 comments
Open

Questions: Damonizing and encrypting with Abscissa #340

JRAndreassen opened this issue Aug 19, 2020 · 3 comments

Comments

@JRAndreassen
Copy link

JRAndreassen commented Aug 19, 2020

Since you have probably resolved these issues in your app...
A couple of quick questions...

I'm building a cross-platform agent using Abscissa / Tokio, it will be running on Windows and other platforms...
So I need to daemonize it..

  1. Which would be the preferred daemonizing crates ?
    ceviche-rs I'm leaning towards this one...
    daemon-rs Old but cross platform

  2. Encrypting values in the config(toml)
    I'm looking at CryptoStream

  3. What is the preferred approach to embedding keys in the executable ?

All (constructive :) ) suggestions are welcome

@tony-iqlusion
Copy link
Member

A1: Regarding daemonization, I'd recommend using an init system or other supervisor process. We run Abscissa-based applications as systemd service units, which requires no built-in "daemonization" support.

That said, if you'd like to use a 3rd party daemonization crate, you can customize main.rs as you desire.

A2: Regarding CryptoStream, I wouldn't recommend using that. It's using unauthenticated AES-CBC encryption (generally shunned by cryptographers), and has a rather heavyweight dependency in OpenSSL.

I do so happen to also be author of a number of pure Rust implementations of modern AEAD ciphers. I would suggest using AES-GCM, AES-GCM-SIV, or ChaCha20Poly1305:

https://github.com/RustCrypto/AEADs/

As for integrating something like that with Abscissa, it's TBD. I'd like to add first-class support for secret stores as a trait, and the ability to plug in e.g. cloud secret management services like AWS Parameter Store or GCP Secret Manager.

A3: what kind of keys? cryptographic keys? I would not recommend placing any secret values in executables.

@JRAndreassen
Copy link
Author

@tony-iqlusion ,
Thanks for the response...

A1: Unfortunately, I don't control the environment and have to adapt...
I'll let you know how it goes.

A2: I'll try one of those...

A3: Unfortunately, I have to encrypt data at rest, without interaction.
A user entry or fetch from somewhere would be better, but again not an option.
I have to come up with a solution...

A built in secure store would be awesome...
Thanks again for sharing

@JRAndreassen
Copy link
Author

P.S. There is a "typo" in
"cli\template\src\commands\subcommand.rs.hbs" Line: 15

    // #[options(short = "f", help = "foobar path"]

should be:

    // #[options(short = "f", help = "foobar path")]

Missing ")"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants