[Glass] data encryption
Mariano Martinez Peck via Glass
glass at lists.gemtalksystems.com
Thu Feb 19 11:40:41 PST 2015
Hi Sebastian,
In my case, I do a few things:
1) Use HTTPS everywhere possible rather than HTTP. I have nginx with SSL +
fast cgi. Be sure to have the gemstone with the latest vulnerabilities
fixed.
2) For user passwords I have 2 type... one way and 2 way encryption. For
the first one, I use MD5 (for user login). For the latter I use a nice algo
where I merge things of PasswordStoreSplit (which splits a password in
pieces and pad the rest with random data) and Blowfish encryption. This is
for some kind of passwords I must store and then decrypt to send them
somewhere...
And now..not related to encryption but with security and may help:
3) My app is deployed for each "site", which means a whole stone + gems.
All gemstone processes of a particular site run under one particular OS
user. Say... siteXXX... so all gemstone processes for that site XXX are run
with siteXXX. And everything needed for the app (gemstone files, confs,
pids, logs, locks, backups, app-custom-files, everything) is inside a
particular directory that has 600/700 and ownership 'siteApp'.
Of course 'siteApp' is not root and does not allow ssh (and sshd allows
only certificate logins).
4) The gemstone user I use is NOT DataCurator and instead I use a
particular gemstone user with custom permissions and password.
5) I change passwords of DataCurator and System and I rarely use them (only
upon site creation)
6)I do not share multiple users (sites) in the same stone.
7) Provide by some means some kind of brute force protection. I have it at
my app login level, at nginx and at fail2ban.
I have more stuff but I think I am going of topic.
Anyway...what I would really like is a way to obfuscate a repository (I
don't want my client to have access to my app code) in the case I must
deploy my app in client's server. Is this possible?
Cheers,
On Thu, Feb 19, 2015 at 4:17 PM, Sebastian Heidbrink via Glass <
glass at lists.gemtalksystems.com> wrote:
> Hi!
>
> I was asked if there is a way to prevent the Gemstone/Glass hoster from
> seeing the data...
>
> Is there a common practice to encrypt certain attributes/data?
>
> I guess this is a problem that might just occur on the Seaside/ZincRest
> cloud-ish projects?!
>
> Sebastian
> _______________________________________________
> Glass mailing list
> Glass at lists.gemtalksystems.com
> http://lists.gemtalksystems.com/mailman/listinfo/glass
>
--
Mariano
http://marianopeck.wordpress.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.gemtalksystems.com/mailman/private/glass/attachments/20150219/ab3585e2/attachment.html>
More information about the Glass
mailing list