3

I am trying to find the safest and best way how to save and read a password or sensitive data, which i can use for example in a selenium test automation written in C#.

Storing and securing sensitive data seems to be a really tough topic. There are just very few questions in stackoverflow which are more than 8 years old and not helping me with my problem.

My requirments are:

  • password is not allowed to be visible in the code or any file by only opening it
  • Co workers should be able to use it without putting too much work into making it run. (For example KeePass would work, as the users need 2 files (key and key-db) to be able to read the password out of keepass)
  • We use bitbucket to upload the solutions or branches. Bitbucket runs all the code, even the tests without the need of visual studio (SonarQube and so on). We can upload the .key files (for example from KeePass) to decrypt the passwords.

Methods i found so far for storing/hiding sensitive data:

  • Encryption and Decryption: Id say its the most common and most used method. According to my co-worker, this isnt something the company wants to use, as its too easy to decrypt a ciphertext when the encryption method is known.

  • Environment Variables (ty Prophet for telling me about it): Seems to be a super safe way to store/hide passwords. The sensitive data is stored in the windows environment variables and you can use it only locally. The problem here is: Each of my co-worker needs to add the variables in windows & we use bitbucket to upload our solutions onto the server in which we can start the automation tests without using visual studio. Not sure if this would be possile for us.

  • KeePass (software): Seems to be the safest way to store and read the password. The user needs 2 files (Database.key and Database.kdbx) to access the passwords. But theres only one question in stack overflow which is over 10 years old Link to question. Since then, there havent been any updated and helpful questions or youtube videos which could help me to set up keepass in C#. BUT there are nugget packages in visual studio for KeePass.

  • Cryptography (symmetric algorithms): I found today a microsoft video Link to video in which they talk about all different kinds of cryptography in .NET core. And they mentioned the symmetric algorithm which seems to work similiar like KeePass. To decrypt the ciphertext, the users need a secret key. Not sure yet if this method is the answer to my question or if i can use this.

As you can see, i put some effort in finding a solution. I am still a beginner in writing code. But i made a lot progress and search deep in the web for solutions to improve my skills. Still, this topic is making me crazy and im not expirienced enought to know, how to write a code from 0 or where to begin.

Maybe someone here is willing to put some effort and time into How to set up KeePass in C# and also setting up the Symmetric Cryptography, as these topics hadnt so much attentions yet in the past.

Would be nice if this question got some attention so maybe its going to help others who are looking for the same answer.

Beardy
  • 117
  • 8
  • 1
    Rule#1 never store a password, either encrypted or otherwise. Passwords should be hashed (basically convert the password string into a very large number). When you want to verify a password, take new user input and hash it, and compare the hashed value with the one stored. – Neil Jul 27 '21 at 11:15
  • For a selenium test automation I would also try to use test (not production) data - it won't matter then if the credentials are exposed! – phuzi Jul 27 '21 at 11:47
  • Yeah im aware of this @phuzi. In our case its: After writing a selenium test, its merged to the master branch and uploaded on bitbucket. There the programmers can start the test with just one click, without using visual studio to check, if the website still works when they fixed something or added new features. – Beardy Jul 27 '21 at 11:53
  • Its is our requirements from our Head of – Beardy Jul 27 '21 at 12:03

1 Answers1

0

Take a look at ProtectedData class, which is a wrapper around Windows DPAPI (Data Protection API). It can be used to encrypt data per Windows user1, so other users can't decrypt it.

Obviously, if somebody can log-in as the same Windows user (who encrypted the data through DPAPI), they can decrypt the data by just asking DPAPI to do it for them. But if you trust the Windows user and he/she is not breached (at which point you probably have bigger problems), this should be a decent solution for testing.

EDIT: I'm not sure how this would work under bitbucket. I'll leave the answer here in case somebody finds it helpful...

1 DataProtectionScope.CurrentUser

Branko Dimitrijevic
  • 49,132
  • 10
  • 90
  • 159
  • Thanks. Yeah it might help someone else. But in my case, my co-worker have their own personal user in windows. My goal is to find a way, in which they simply just pull a branch from my implementation and directly press on "Run" to start the automated test which automatically gets the hidden password. It would work with KeePass if mycoworker have the same 2 files to access the KeePass database – Beardy Jul 27 '21 at 11:43
  • Yes, each user would need to set the password via DPAPI independently. – Branko Dimitrijevic Jul 27 '21 at 11:46
  • is it possible to give access to multiple windows users? Or does only one person have access to the sensitive datas? Can you define 2-3 different windows users? – Beardy Jul 27 '21 at 15:39
  • You can't define arbitrary subset of users, but you can allow all users on the same machine via `DataProtectionScope.LocalMachine`. – Branko Dimitrijevic Jul 28 '21 at 08:35