Encrypt all keys in Passwords.java

Currently keys are readable by opening up the Passwords.class file and reverse engineer it.

Its not a big deal, nothing really sensitive is compromised (hipchat notifications, mail, test exchanges) , but it is time to change that.

This is my proposal , please read it all feel free to make it better

1) Use Sam's tool to encrypt all keys using a masterkey 2) Replace the clear keys in Passwords.java with the encrypted keys 3) Add a static method to Passwords.java getDecryptedKey(String encryptedKey, String masterkey) 4) Prompt for the masterkey when running newbot and put it in a global variable (Global.masterkey) see *** 5) Replace how we access the Passwords: Wherever we access the fields stored in Passwords, replace it with ,example bonus) Divide TestPasswords (exchanges etc) from production passwords (hipchat ...) , and ecnrypt them using a different key(?)

Passwords.getDecryptedKey(Passwords.CCEDK , Global.masterkey );

6) Change all old keys that were stored on Passwords.java before being encrypted

If we follow this step-by-step tutorial we will have a point of failure (***), that is, we require custodians/testers to type the clear masterkey every single time nubot is run. This is not a desired behaviour, and a pain in the arsh both for us and the user.

Instead, I would opt for a solution where the Bot (on start) seeks for a special file located in a known location that it is used to decrypt the mastekey, without chances of people reverse engineer a simple .class file.

Can you think of a way to make it possible?

Comments (7)