Keystore and permanent stored passwords

[qpirsel]

Hi!

I'm currently playing with semaphore ui and try to figure out how it works. One thing that gives me a headache is that I have to store passwords (e.g. ssh privat key password) permanently.

As far as I undertand semaphore can't (currently) ask for passwords at task execution time. Hence, the only barrier between an attacker and the "golden ticket" to my infrastructre are the semaphire ui login credentials (of course, apart from other measures in the infrastructure).

Anyway, how about to encrypt all keystore entries with an addiontinal master password that isn't stored physically and MUST be entered each time semaphore started to decrypt all permanent stored passwords (like ansible valut, keepass or something like that).

Wouldn't that bring a real increase in security?

Regards
qpirsel

[coolstuff99]

Yes please, something robust like rely passwords to a password manager at least as an alternative would be ideal. This is the main reason why I am not moving forward to use semaphore up to now :(