redmine_wiki_encryptor - wiki data encryption plugin Redmine

If you are storing sensitive data on the Redmine Wiki, you probably wondered what would happen if someone could access the server and load the database.
I bring to your attention, developed by our company , the plugin redmine_wiki_encryptor . With this plugin, Redmine will decrypt data from the Wiki tables on the fly, so even if someone gets a database dump, they will not be able to read anything without a key.

Install and configure redmine_wiki_encryptor

')
Make a backup DB Redmine. If something goes wrong, there is a risk of losing the Wiki data.

Load the plugin:

git clone git://github.com/olemskoi/redmine_wiki_encryptor.git /opt/redmine/plugins/redmine_wiki_encryptor 

Install gems (meaning that you use the bundler to work with gems):

 bundle install --without development test sqlite postgresql --path vendor/bundle 

Perform migration plug-in:

 bundle exec rake redmine:plugins:migrate RAILS_ENV="production" 

Add the plugin configuration to the redmine / config / configuration.yml file, the “production” section of the key parameters (the key by which encryption will be performed - take care of it), the algorithm (the encryption algorithm — the list of algorithms supported by your system can be obtained with the “openssl list-cipher” command -commands "):

 production: wiki_encryptor: key: 'mega-secret-key' algorithm: 'des' 

Stop the Redmine and encrypt the Wiki data:

 bundle exec rake wiki_encryptor:encrypt RAILS_ENV="production" 

Now all the Wiki data is stored in encrypted form.

Important! Turning off in the Redmine settings the caching of formatted text, otherwise in the redmine / tmp / cache folder the cache of all visited wiki-pages will be added in open form:


Delete the cache:

 rm -rf /opt/redmine/tmp/cache/* 

And the most interesting. Potentially, the attacker will still be able to decrypt the data, because you can see the key in the configuration. To exclude this point, you can run Redmine manually, and do not store the password in the config.
After performing the encryption procedure, remove the key (all that after the space) from the redmine / config / configuration.yml configuration file and, for simplicity, use a script like the following:

 #!/bin/sh # ,   Redmine /etc/init.d/redmine stop #    echo -n "Password: "; read password; #      sed -i "s/ key:/ key: '$password'/g" /opt/redmine/config/configuration.yml echo echo #  Redmine /etc/init.d/redmine start #       sleep 3 #     sed -i "s/ key: '$password'/ key:/g" /opt/redmine/config/configuration.yml 

That's all. I will welcome ideas and suggestions in the comments!

In one of the following articles I will write about the two-factor sms-authentication Redmine. Who cares, welcome to our Habra blog .

References:
http://centos-admin.ru/ - site of our company
https://github.com/olemskoi/redmine_wiki_encryptor - plugin redmine_wiki_encryptor