Article delegate-en/3962 of [1-4112] on the server localhost:7119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A3961@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en
[DeleGate-En] parameter encryption with -Fenc (Re: Delegate - encrypted .cdh config on win xp)
24 Apr 2008 08:33:52 GMT feedback@delegate.org (Yutaka Sato)
The DeleGate Project 
Jan,

In message <_A3961@delegate-en.ML_> on 04/24/08(16:23:34) I wrote:
 | |Then I encrypt the config:
 | |> "d:\app\delegate\dg.exe" DGROOT="d:\tmp\.dg" -Fcredhy testpwd  <  dg.conf  >  dg.cdh
...
 | |**** Specify the key of encryption for 'dgauth'
 | |**** CRYPT=pass:testpwd
 |
 |Here you need to specify the "MasterKey" for the repository of passwords
 |into which your "testpwd", the passphrase for encryption of configuration
 |parameters, is stored.  And your passphrase needs to has been stored into
 |the repository as follows, encrypted with a specified MasterKey:
 |
 | > dg.exe DGROOT=d:/tmp/.dg -Fauth -a config:testpwd -dgauth@admin
 | **** Specify the key of encryption for 'dgauth'
 | **** CRYPT=pass:MasterKey
 |
 |See <URL:http://www.delegate.org/delegate/Manual.htm?EncryptedConf> for
 |more details.

I should have said that the encryption of configuration parameters by
"-Fcredhy" (introduced at DeleGate/9.0.1 ) was a very tentative one without
ability of verification of integirity of the decripted data (with CRC or
MD5 or so).  Thus it generates broken data if a given key for decryption
is not equal to the one at the encryption, as shown in your case.

I added another way of encryption at DeleGate/9.4.0 by "-Fenc" which is
simpler (without password repository) and safer (with integirty check).
You can use it as follows:

 a) to see the usage

  > d.exe -Fenc
  Usage: -Fenc [-kKey] [infile] [-o outfile] [-a arg1 arg2 ...]

 b) generate an encrypted parameter

  > dg.exe -Fenc -ktestpwd -a MYAUTH=user:pass ADMIN=foo@bar
  +=enc:ext::1bt.fMObaW4Mc0Y34Bp5tEPLoMY6pkvjB4RYCymttSPWd5vp6ghqieamCg==:

  (this "+=enc:ext::...:" is an encrypted representation of "MYAUTH=user:pass ADMIN=foo@bar" with the encryption key "testpwd")

 c) use the encrypted parameter

  > dg.exe -v -P9999 +=enc:ext::1bt.fMObaW4Mc0Y34Bp5tEPLoMY6pkvjB4RYCymttSPWd5vp6ghqieamCg==: SERVER=http ...
  **** PASSWD=ext:::testpwd

A little more tips:

 1) encryption
  > dg.exe -Fenc -ktestpwd < conf > conf.enc

 2) decription
  > dg.exe -Fdec -ktestpwd < conf.enc > conf

 3a) substitution (asked the password interactively)
  > dg.exe +=conf.enc
  **** PASSWD=ext:::testpwd

 3b) substitution giving the password
  > dg.exe +=conf.enc PASSWD=ext:::testpwd

 3c) substitution without an external file for configuration
  > dg.exe +=enc:ext::1bt. ............. :"

Cheers,
Yutaka
--
  9 9   Yutaka Sato <pfqcabdyi-zzxei6h44btw.ml@delegate.org> http://delegate.org/y.sato/
 ( ~ )  National Institute of Advanced Industrial Science and Technology
_<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
Do the more with the less -- B. Fuller
  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V