February 13, 2013 at 23:40

redmine_wiki_encryptor - Wiki Redmine data encryption plugin

    RedmineIf you store sensitive data in Wiki Redmine, you probably wondered what would happen if someone could access the server and load the database.
    I bring to your attention the plugin developed by our company , redmine_wiki_encryptor plugin . With this plugin, Redmine will decrypt on-the-fly data from Wiki tables, so even if someone receives a database dump, they cannot read anything without a key.



    Install and configure redmine_wiki_encryptor



    We make a backup of the Redmine database. If something goes wrong, there is a risk of losing Wiki data.

    Download the plugin:
    git clone git://github.com/olemskoi/redmine_wiki_encryptor.git /opt/redmine/plugins/redmine_wiki_encryptor


    Install gems (assuming you are using bundler to work with gems):
    bundle install --without development test sqlite postgresql --path vendor/bundle


    We perform the plugin migrations:
    bundle exec rake redmine:plugins:migrate RAILS_ENV="production"


    Add the plugin configuration to the redmine / config / configuration.yml file, the “production” section, key parameters (the key used to encrypt it — take care of it), algorithm (encryption algorithm — a list of the algorithms supported by your system can be obtained with the command “openssl list-cipher” -commands "):
    production:
  wiki_encryptor:
    key: 'mega-secret-key'
    algorithm: 'des'


    Stop Redmine and encrypt Wiki data:
    bundle exec rake wiki_encryptor:encrypt RAILS_ENV="production"


    Now all Wiki data is encrypted.

    Important! We disable Caching of formatted text in the Redmine settings, otherwise the cache of all visited wiki pages in the clear will be added to the redmine / tmp / cache folder:
    Disable formatted text caching

    Delete cache:
    rm -rf /opt/redmine/tmp/cache/*


    And the most interesting. Potentially, the attacker will still be able to decrypt the data, because you can see the key in the configuration. To eliminate this point, you can run Redmine manually, and do not store the password in the config.
    After completing the encryption procedure, delete the key (everything after the space) from the redmine / config / configuration.yml configuration file and, for simplification, use a script such as the following:

    #!/bin/sh
# Проверяем, остановлен ли Redmine
/etc/init.d/redmine stop
# Считываем введенный пароль
echo -n "Password: "; read password;
# Добавляем в файл конфигурации пароль
sed -i "s/    key:/    key: '$password'/g" /opt/redmine/config/configuration.yml
echo
echo
# Запускаем Redmine
/etc/init.d/redmine start
# Ждем на всякий случай несколько секунд
sleep 3
# Удаляем пароль из конфигурации
sed -i "s/    key: '$password'/    key:/g" /opt/redmine/config/configuration.yml


    That's all. I will be glad to ideas and suggestions in the comments!

    In one of the following articles I will write about two-factor sms-authorization of Redmine. To whom it is interesting, welcome to our Habra blog .

    Links:
    http://centos-admin.ru/ - site of our company
    https://github.com/olemskoi/redmine_wiki_encryptor - plugin redmine_wiki_encryptor
    Tags:

    Also popular now: