[Bug 41774] New: Add ability to read encryption key from environment variable
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41774 Bug ID: 41774 Summary: Add ability to read encryption key from environment variable Initiative type: --- Sponsorship --- status: Product: Koha Version: Main Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 - low Component: Architecture, internals, and plumbing Assignee: koha-bugs@lists.koha-community.org Reporter: kyle@bywatersolutions.com QA Contact: testopia@bugs.koha-community.org
From a security standpoint it would be useful to be able to store Koha's encryption key in an environment variable. This is particularly useful in containerized environments, but is not limited to that use case.
-- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41774 Kyle M Hall (khall) <kyle@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |Needs Signoff -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41774 --- Comment #1 from Kyle M Hall (khall) <kyle@bywatersolutions.com> --- Created attachment 192496 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=192496&action=edit Bug 41774: Add ability to read encryption key from environment variable
From a security standpoint it would be useful to be able to store Koha's encryption key in an environment variable. This is particularly useful in containerized environments, but is not limited to that use case.
Test plan: 1) Apply this patch 2) Remove or comment out the encryption key in koha-conf.xml 3) Restart plack 4) Browse to the "System information" tab of the about page 5) Note the missing encryption_key warning on the page 6) restart plack again, inject the encryption key as an environment variable: sudo KOHA_ENCRYPTION_KEY=t0P_secret koha-plack --restart kohadev 7) Reload the about page 8) Note the warning is gone! -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41774 Kyle M Hall (khall) <kyle@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|koha-bugs@lists.koha-commun |kyle@bywatersolutions.com |ity.org | -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41774 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dcook@prosentient.com.au Status|Needs Signoff |Failed QA --- Comment #2 from David Cook <dcook@prosentient.com.au> --- I'm going to have to disagree with you on this one. From a security standpoint, you don't want to put sensitive data like an encryption key in an environmental variable. You'd want to put the encryption key in a file and then the environmental variable could point to the location of that file. With a containerized environment like Docker, you can either do a bind mount yourself, or you can use secrets which does some of that for you: https://docs.docker.com/compose/how-tos/use-secrets/ -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org