Password parameters: scrambled HOW?
I'm trying to wrap my head around exactly how secure the storage of password-typed parameters in TeamCity is. Yes, I understand that anyone who can modify a build plan that can see the parameter can trivially extract passwords, but there's a paper trail there. There may be attacks that can be done on the agent as well. Really I just want to be able to speak clearly about the safety of password data that's just lying around in the config files.
https://confluence.jetbrains.com/display/TCD10/Typed+Parameters calls the way passwords are stored on the TeamCity server (and in whatever VCS is used to handle versioning as 'scrambled').
Is it documented anywhere, or does anyone know, what kind of scramble we're talking about? ROT13? SHA256? How is whatever key is needed to unscramble it protected and/or rotated? Is the key different for each project, or can I totally just copy the scrambled key to a new project that I have write access to and emit the cleartext secret there?
Please sign in to leave a comment.
Hi,
https://confluence.jetbrains.com/pages/viewpage.action?pageId=74845225#HowTo...-WhatEncryptionisUsedbyTeamCity
Try to avoid having to store passwords for external services as much as possible. If the passwords have to be stored for plain text reuse, there has to be a way to revert back to password form.
We have an issue in our tracker to improve the current way they are stored. Feel free to vote and comment on it to try to improve this situation: https://youtrack.jetbrains.com/issue/TW-45181