Encryption of plugins' configuration files?

Hi community,

is there any agreement about encryption related to locally installed plugins which (for correct execution) are depending on user / password in their configuration file in plain text? I know there is an agreement on built-in security both for linux and windows agent for their outputs sent to the server - but I could not find anything w.r.t. plugins so far.

The agent and its plugins need credentials in plain text to request monitoring info from databases and other systems.

How should these credentials be encrypted and with which secret should they be secured? Where should this secret be stored?

The agent configuration is only readable by root on Unix/Linux systems and equally by SYSTEM on Windows machines. This has to suffice.

Thanks for your quick explanation. We had a short discussion recently with an open ending and wondering if there’s a common statement in the monitoring community about that topic.

I think this is every time a problem if you let checks ran without interaction. You need to store your password somewhere and your agent needs the key if the password is encrypted.
That means the key for the encrypted password musst be also somewhere on the machine :slight_smile:

On Windows there it is possible to store credentials in encrypted way that can only be reused by the same account who stored the credentials without clear text.
But i don’t know how this can be implemented inside the agent. As the agent must create the encrypted file after the agent installation. And this means the original passwords must be inside the MSI package somewhere.

Thanks, nevertheless such feedbacks will help in further discussions about the topic! :+1:

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact @fayepal if you think this should be re-opened.