What is a proper or, if possible to tell, the best way to store configuration in

Question

What is a proper or, if possible to tell, the best way to store configuration in matters of security?

So far I can tell that a database with very restricted access is a good way, but please let's exclude the database for the moment. I'm talking about things like encrypted properties files. As this is already a suggestion, I would also like to know about something like common mistakes or things I definitely have to keep in mind to acquire a secure configuration. There are already related discussions on "the best way to store configuration", however I wasn't able to find something with focus on security.

The application runs non-distributed on a host-machine, so the configuration is stored on local system. The application is, so to say, a single user application. We are talking about something like a software-firewall to be concrete. I'm actually thinking of application-scoped settings. I need data protection in a sense of privacy (I don't want to expose functionality and configuration) and integrity. I'm not afraid of an insider (admin) but more of intruders.

Explanation / Answer

Ok, so if a hacker gets into your system you want prevent him to seeing the configs? By the logic, IMO this is not possible. The application needs to read the config and it needs to store the config values in the memory. The hacker with root privileges can always dump the memory and reconstruct the config (if the application is running).

However, you can make it harder for him. For instance, you can keep the config encrypted. The application would ask for the password on startup and use the password to decrypt the config. However, I can imagine, this could be quite annoying for sysadmins ;-)

Related Questions

Navigate

• Browse (All)
• Browse W
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.