Encrypt or remove password in ora2pg-conf.json file

Question

Encrypt or remove password in ora2pg-conf.json file

Closed this issue 4 years ago · 4 comments

pgoldtho commented 4 years ago

ora2pg-conf.json file contains the system credentials for the Oracle database. It should be encrypted on the server

https://medium.com/@anned20/encrypting-files-with-nodejs-a54a0736a50a

Answer 1 · 2020-12-27T17:12:18.000Z

Hide the config file in the project files listing

Answer 2 · 2021-01-03T16:37:39.000Z

Users need a way to supply a encryption key. Ideally this would be transparent in non-production environments. Users who are trying out ora2pg or converting a development database with no sensitive information should not be forced to supply a key.

Update the http-config.js file to accept a the key as an environment variable or default a hard coded string:

configFileEncryptionKey: process.env.ORA2PG_SECRET||'hardCodedInsecureKey123'
ORA2PG_SECRET can be set using a docker or kubernetes secret

Answer 3 · 2021-01-08T19:40:09.000Z

Another option would be to encrypt the password in the JSON document rather than the complete file. The APIs could be modified to accept an encryption key parameter. It would be used to en/decrypt sensitive fields in the JSON doc. The UI would be extended to associate projects and encryption keys

Answer 4 · 2021-01-15T20:23:50.000Z

Alternatively we could remove the password entry before writing the file.