secure coding on the move
Wed, Nov 7, 2012
When I’m on the move, to a conference or a meeting or something, I quite often like to do some work on the laptop which can mean writing code that talks to internal servers via the VPN. That means usernames and passwords and the possibility of the laptop being purloined by some footpad who then gets access to the internal systems. To get round this I organise my coding into different folders:
/Users/alistair/dev/matrix-blackboard/ local matrix-blackboard matrix-blackboard-configSay I’m working on Blackboard provisioning. Under my main dev folder I have a matrix-blackboard folder. In there is matrix-blackboard which is the code directory, matrix-blackboard-config which is the Spring config files containing URLs, usernames and passwords and local which is where I flex my muscles trying out new things to do with this project and also where I’ll store various docs related to it. The problem is, if the footpad gets hold of the laptop, they’ll have access to the Spring config and any other sensitive information in the local folder. So I have a TrueCryptencrypted file container for project configurations and project local folders:
/Volumes/CONFIGLOCAL/ dev-config/matrix/matrix-blackboard dev-local/matrix/matrix-blackboardSimilarly, when I run these projects on the laptop I need to, now and again, point them at real systems which means the deployed Spring configs are out in the open. Again, I take care of this with an encrypted file container, APPSDEV which when mounted contains deployed project configurations. I also have a load of utility scripts that do useful things on systems and they’re all in the SCRIPTS encrypted volume. I’ve only really had one problem with this model and that’s connecting to our local Gitorious installation over ssh. I keep my private keys in an SSHKEYS encrypted volume but because it’s FAT I get warnings about world writeable keys but they’re only world writeable as long as the volume is mounted. Once it’s unmounted they disappear. The commands to load them are in the SCRIPTS volume so they disappear too when they’re unmounted altthough their location is included in my PATH so when they’re mounted they automatically appear on the commandline.
So that’s a lot of mounting and unmounting. How about a script to do that? Here’s what I keep in my unencrypted ~/bin/mount-dev-volumes:
It first prompts for the password for the volumes and then mounts them all under /Volumes. Note that if you open TrueCrypt to manually mount another volume, if you close it all the commandline mounted volumes will be unmounted. I also have a utility script to manually unmount the dev volumes:
So that takes care of protecting sensitive programming information and configurations. I also have a load of encrypted file containers for docs, email archives, private stuff etc which I normally mount directly from TrueCrypt.