Password and Key Rotation
This page discusses passwords and key rotation to enhance security.
Table of Contents
- Introduction
- Why is Password Rotation Important?
- Why is Key Rotation Important?
- Database password encryption and rotation
- Encrypt the MongoDB password
Introduction
Regularly rotating passwords and encryption keys is a critical security practice that enhances credential management. Password rotation refers to updating a user's password, while key rotation involves generating new encryption keys to replace existing ones. Both methods aim to reduce the opportunity for potential breaches by shortening the lifespan of these credentials.
Frequently rotating passwords and keys can lower the risk of credential theft and unauthorized access. The shorter the lifespan of a password or key, the less likely it is to be compromised. This proactive approach helps to reduce long-term vulnerabilities and strengthen overall security.
Why is Password Rotation Important?
Password rotation is a critical security practice because it reduces the risk of unauthorized access to sensitive data. By regularly changing passwords, you can better protect yourself against a variety of cyber threats and limit the potential damage from compromised login credentials.
Rotating passwords provides several benefits:
- Mitigate the risk of attacks: Regularly changing passwords helps defend against various cyberattacks, such as phishing, malware, and more, by minimizing the chances for hackers to exploit stolen credentials.
- Prevents unauthorized access: Password rotation ensures that even if someone gains access to an account, they will not be able to use the password for an extended period.
- Protects sensitive information: Constantly rotating passwords safeguard sensitive data from unauthorized access.
Why is Key Rotation Important?
Key rotation is a critical security measure that helps safeguard sensitive data by regularly changing encryption keys. By rotating keys at regular intervals, you can reduce the risk of long-term vulnerabilities tied to any single credential. Even if a key is compromised, its usefulness is limited. Key rotation is crucial for minimizing the risk of exposing encrypted data if a key is leaked or stolen.
Rotating keys provides several benefits:
- Reduced risk of compromise: Frequent key changes minimize the opportunity for an attacker to exploit a stolen or compromised key, limiting their potential access.
- Limits data exposure: Periodically changing keys ensures the amount of sensitive data encrypted with the same key is kept to a minimum, reducing the potential impact of a breach.
- Improves resilience: Regular key rotation contributes to the overall security, making it harder for attackers to maintain persistent access and reducing the chances of a successful, long-term attack.
Database password encryption and rotation
You can encrypt database passwords and store them in an unreadable format, shielding them from unauthorized access. Periodically rotating database passwords minimizes the risk of long-term exposure if a password is leaked.
To securely encrypt and rotate your database password for enhanced protection, take the following steps:
- Search the existing database configuration PID by using the following API with basic authentication. Copy
curl --location --request GET 'http://{hostname}/admin/config?filter=(service.pid%3Dcom.soa.database.config*)' \
--header 'Content-Type: application/json' \
--header 'Authorization: ••••••' - Delete the database PID obtained in Step 1 by using the following CURL command with basic authentication.Copy
curl "http://{hostname}/admin/config/com.soa.database.config.0df43c36-0de6-4651-ada2-544e59bdb1bf' \
-- request "DELETE" \
-- header 'Authorization: ••••••' \ - Encrypt the database password by using a recipe. See Encrypting a value.
- Set the encrypted password as the value for DB_PASSWORD in the properties file. The entry in the properties file might be: Copy
DB_PASSWORD=secret:VdRdHt61SENlNrufQw2maonU9jZEcNMrprE5L_HDBrE
- Execute the recipe and restart the container with the new encrypted password by using the following command:Copy
/opt/akana/bin/jython.sh -m akana.container --secrets-file secret.key --recipe ../recipes/db-existing.json --recipe ../recipes/restart.json --props <properties file>
Encrypt the MongoDB password
To protect credentials, the MongoDB password stored in the configuration file must be encrypted. Encryption ensures that sensitive credentials are not exposed in plain text, reducing the risk of unauthorized access.
Password encryption can be applied by using any of the following methods:
- Admin console: Use the Configure MongoDB Database Wizard configuration action to encrypt the password directly from the Admin console.
- Mongo.json recipe: Configure encryption by using the mongo.json recipe with the MONGO_PASSWORD_ENCRYPTED parameter set to true. See Encrypt the MongoDB password by using an automation recipe.
- REST API: Supports encrypted password update, see Encrypt the MongoDB password by using the REST API.
Encrypt the MongoDB password by using the REST API
- Use the following curl command to update the MongoDB password. Copy
curl --location --request POST 'http://{hostname}/admin/tasks/mongodb.database.config.task/steps/mongodb.database.config.task/execute?username=AdminUser&password=AdminSecurePassword&cpassword=AdminSecurePassword&enabled=true&encrypted=true&mongoClientURI=mongodb%3A%2F%2F{hostname}%3A27017%2FAkana%3FauthMechanism%3DSCRAM-SHA-256%26authSource%3Dadmin%26connectTimeoutMS%3D15000%26socketTimeoutMS%3D1500000%26minPoolSize%3D0%26maxPoolSize%3D100%26waitQueueMultiple%3D5%26waitQueueTimeoutMS%3D10000' \
--header 'Authorization: Basic <base64-encoded-credentials>' \
-header 'Accept: application/json, text/plain, */*' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Cookie: {COOKIE_VALUE}' - Use the following command to check the status of the MongoDB configuration task.Copy
curl --location 'http://{hostname}/admin/tasks/jobs/mongodb.database.config.task' \
--header 'Accept: application/json, text/plain, */*' \
--header 'Cookie: {COOKIE_VALUE}'