Skip to Main Content

MongoByte MongoDB Logo

Welcome to the new MongoDB Feedback Portal!

{Improvement: "Your idea"}
We’ve upgraded our system to better capture and act on your feedback.
Your feedback is meaningful and helps us build better products.

Status Submitted
Categories CLI & Shell
Created by Guest
Created on Feb 21, 2023

Encrypt private_api_key in a mongocli configuration file

I would like to encrypt the value of private_api_key stored in $HOME/.config/mongocli/config.toml (part of mongocli config). private_api_key should be not visible in the open text as it gives access to the MongoOPS/Atlas to anyone who can access the file.
  • Guest
    Feb 23, 2023
    Hi, Thank you for the information. Unfortunately, none of the solutions is acceptable to us. Private keys must be known only by authorized mongodb dbas. All mentioned solutions, custom locations, permissions, and environment variables, are vulnerable to eavesdropping by Unix (System) admins. Financial companies must follow very strict security rules. Saving passwords in encrypted form only is one of them. I hope this feature request will attract some attention and MongoDB will implement it in future release. Best Regards
  • Guest
    Feb 21, 2023
    Hi Most of the popular CLIs give users the ability to keep their configuration in secure places. MongoDB and Atlas CLI follow similar standards: 1. Env variable overrides 2. Custom location of the config file. 3. Permissions for config file access 1. The private key can be set using environment variables: https://www.mongodb.com/docs/atlas/cli/stable/atlas-cli-env-variables/ 2. The most common practice is also to set your config location to be present in the secure store using `XDG_CONFIG_HOME` variable. For more information see: https://www.mongodb.com/docs/mongocli/stable/configure/configuration-file/ 3. File is only accessible to the current user ``` -rw------- 1 me metawired 1201 Feb 21 13:40 config.toml ``` For details on how to encrypt your local file system please follow the instructions for each different operating system. Setting encryption on XDG_CONFIG_HOME location will not only secure Atlas and MongoDB cli but also other CLIs like Kubectl, or GitHub.