I noticed that the config.json stores sensitive data as plain text. Isn’t it possible to encrypt these? If the server gets hacked for example said hacker can view all the information on the config.json and thus gain access to the sensitive data there, at least adding a simple encryption to the passwords and admin token would be a good idea.
It may be possible to encrypt it, but that would not make it safer if your server gets hacked.
You probably have other stuff to think about when you server gets hacked then only a specific file.
A few reasons why.
- If they can access your server, they can simply remove that file, change the env settings and restart the container which will give them access.
- They could just copy the database and start a container them self’s locally.
- We would need to keep a backwards compatible way for unencrypted files, or unencrypted token, which they then could use to gain access.
So in the end, there is nothing really gained by encrypting that file, except for direct visibility of the file of course. That same goes for having an encrypted token for example, it will not show the correct token directly, but if someone has access to your server it doesn’t matter anymore.
I see, fair enough guess I have to use Vaults for the sensitive data. Thanks for clearing things up.
Also, you could try to not use the admin to change your settings of course, and only use .env or docker env variables. In that case you could also use docker secrets: docker secret create | Docker Documentation