Reputation: 143
Connecting remotely to a MongoDB database without storing password in plaintext
I am trying to remotely connect to a MongoDB database but don't want to store the password for the database in plaintext in the code. What's a good method for encrypting/decrypting the password so it's not available to anyone with the source code? The source code will be on GitHub.
I'm working with Python and PyMongo for connecting to the database. The database has authentication enabled in the mongod.conf file. The database is hosted on a Ubunutu 18.04 instance running in AWS.
It would also be nice to have the IP address of the server encrypted also as i've had security issues before with people accessing the database due to the code being available on GitHub and then presumably scraped by bots.
My current URI looks like this
URI = "mongo serverip --username mongo --authenticationDatabase admin -p"
I would like the IP address and password to be encrypted in some way so that the password and IP aren't publicly available in the source code.
Upvotes: 2
Views: 2070
Answers (2)
Reputation: 61
All the options provided by Robert makes complete sense. However, I would like to give one more:
You can store username and password under your environment variables under .bash_profile and access the corresponding env var in python.
Example: - In .bash_profile:
export USRNM='myname'
export PASS='password'
In python:
import os
username = os.environ.get('USRNM')
password = os.environ.get('PASS')
This way, username and password will not be present in your project directory and cant be accessed by looking at the source code.
PS: Further encryption can be added to the password string stored in .bash_profile.
Upvotes: 0
Reputation: 42744
There is only and and simple way:
If you don't want the password and the server name to be included in your public repository don't write it into a file that is pushed into that repository.
One way to do so would be to create a config file for secret data and add it to the .gitignore file. At run-time open the config file, read the secret data from it and use it in your script.
Another way would be to provide the secret data (password an server name) as command line parameters to your script.
Any other way that "encrypts" (obfuscates) the password is insecure as long as the repository contains also the obvious or hidden key. This can be decoded with a little effort.
Upvotes: 1
Related Questions
- Connect to MongoDB without password using pymongo
- Mongodb : Connecting to a user with password when tls is enabled
- how can i validate username password for mongodb authentication through pymongo?
- what's the easiest way to password protect mongodb database for remote user?
- How to enable password authentication for remote connection and disable it for local for MongoDB?
- mongodb - user connection string, secure password
- MongoDB 3.2 - how to pass password from command line?
- connecting to MongoDB with authentication using pymongo 2.7
- How to provide pemfile password in pymongo mongoclient in the connection string
- Why does my remote MongoDB connection require authentication on every query?