Encrypt private_api_key in a mongocli configuration file
I would like to encrypt the value of privateapikey stored in $HOME/.config/mongocli/config.toml (part of mongocli config).
privateapikey should be not visible in the open text as it gives access to the MongoOPS/Atlas to anyone who can access the file.
Dmitrij
shared this idea
-
Dmitrij
commented
Hi,
Thank you for the information. Unfortunately, none of the solutions is acceptable to us. Private keys must be known only by authorized mongodb dbas. All mentioned solutions, custom locations, permissions, and environment variables, are vulnerable to eavesdropping by Unix (System) admins. Financial companies must follow very strict security rules. Saving passwords in encrypted form only is one of them.
I hope this feature request will attract some attention and MongoDB will implement it in future release.
Best Regards
-
Wojciech
commented
Hi
Most of the popular CLIs give users the ability to keep their configuration in secure places. MongoDB and Atlas CLI follow similar standards:
1. Env variable overrides
2. Custom location of the config file.
3. Permissions for config file access1. The private key can be set using environment variables:
https://www.mongodb.com/docs/atlas/cli/stable/atlas-cli-env-variables/2. The most common practice is also to set your config location to be present in the secure store using `XDG_CONFIG_HOME` variable.
For more information see: https://www.mongodb.com/docs/mongocli/stable/configure/configuration-file/3. File is only accessible to the current user
```
-rw------- 1 me metawired 1201 Feb 21 13:40 config.toml
```For details on how to encrypt your local file system please follow the instructions for each different operating system. Setting encryption on XDG_CONFIG_HOME location will not only secure Atlas and MongoDB cli but also other CLIs like Kubectl, or GitHub.