So currently in our project we have user/pass combinations in environment specific properties files stored in our source control which gets read in by the Selenium scripts...which is a bad practice security wise.
Thinking of just offloading it to an environment variable that you have to provide to Maven. But then it would have to be free text in Jenkins for our test runs there. Not to mention making their configuration a lot less clean. Have a maven ant task swap in the appropriate properties file based on a drop down selection for environment right now.
In order to support running local, on jenkins, and on a clean slate VM I would think any encryption method would also have to have the key in the repository as well which defeats the purpose.
What do you recommend as a best practice to handle this?
I'm currently researching good secure key/value stores for such a purposes.
This one seems promising, https://www.vaultproject.io/
Originally Posted by dlai
As a follow up to my research. Amazon KMS and cloud HSM seems to be the front runner.
KMS appears to be great, it has a good API so you can do some advanced things like daily key rotations and password generation, so you can automate updating your password on a nightly basis. It has audit services so you can see who's been using your keys. In terms of memory protection, it keeps the keys encrypted in memory until point of use.
If you are concerned about someone performing a memory dump. The HSM (Hardware Security Module) goes one step further and encrypts the key on a hardware level so it's never in plain text in memory.
Last edited by dlai; 04-04-2016 at 08:42 AM.