Along with other configurations, Configs.Cloud can also be used to store credentials securely.
- Password Secure Storage
- Password Retrieval
- Password Settings
- More Algorithms
Password Secure Storage
Any configuration marked as "Is Password" is stored securely in database using a algorithm of user's choice (as per user's profile). User will be able to add any configuration as a Secure configuration. These configurations are stored in the encrypted format in Database, thus preventing any accidental password loss even in the extreme scenario of the system being compromised. Without decrypting the passwords remain inaccessible even to the DBAs managing the databases.
All encryption for the configurations marked as passwords are controlled by the "encryption algorithm" of user's choice. This algorithm is mentioned under Menu > Settings > Preferences. The following parameters impact configuration for passwords - Algorithm and Salt String.
Once set, these settings take effect immediately. On change of either the algorithm (or) the Salt string, all configurations marked as passwords are re-hashed with the new algorithm. Be aware that this might impact functioning of your applications / integrations.
Any changes to configurations marked as passwords, either done manually or forced due to changes in "salt string" or "Password Hash Algorithm" will be considered as an update of the password. All updates to configurations are automatically versioned. Hence, all changes to passwords are also versioned.
Note: Do note that a hashed password can only be retrieved if you are aware of the configuration algorithm and the Salt string that were used to hash the password. Once these settings are changed / lost, older passwords cannot be retrieved in the decrypted format. You can always view the encrypted password strings using the "view versions" feature on each key / value.
Passwords can either be viewed from Management Console (or) could be retrieved from APIs.
Retrieving Passwords on Management Console
When passwords are shown on the management console, they are shown in decrypted format. This allows the user to retrieve the passwords and use them as needed. The hashed string for passwords in the database can be viewed using the "Versioning" feature in the console as mentioned above.
Retrieving Passwords using APIs
Passwords can be retrieved using APIs either
- in a decrypted format as an output of the API call (or)
- in a encrypted format for you to decrypt within your application with the right salt string and the algorithm making it absolutely safe in transit, depending upon your security needs.
All password settings are Global - limited to a Dataset and impact all configurations within a dataset. You may decide to change your configurations for any specific dataset as per your security needs.
Need More Algorithms ?
Do get in touch with us at firstname.lastname@example.org (or) Contact us - if you need any more algorithms and we will attempt to consider them as a feature request for the next release. If you are a enterprise customer and have any specific security requirements around password storage, do let us know and we will be happy to pick that up at the earliest possibility.