How to manage passwords in a snap

lonroth · June 29, 2021, 5:26pm

I’m working on a snap that will need encrypted files supplied as after the snap is installed, (e.g. the encrypted files are not part of the snap). Those encrypted files should be located in a keystore-path.

The snap runs a service, which needs a password + the files located in the keystore-path to start. The password lives in a password-file

The startup looks something like this:

./foobar-bin --password-filename /opt/password-file --keystore-path /opt/

I’m looking for some advice and/or examples on how to implement this within a snap context.

How to supply/make accessible the encrypted files in the keystore-path?
How to get a password into a password-filename accessible to the snap service - in a secure way? Possibly by some facility available in the snap world?

Any advice here is welcome.

Ideally, I would be able to use some facility to keep the password inside the “password-file” even safer. But that’s a bonus I guess.

xet7 · July 16, 2021, 12:19pm

Code inside Snap can only access files in writable directory /var/snap/SNAPNAME/common/ , not any directory above it.

This is when Snap has strict confinement. (If it is --classic snap, it can write to other directories).

github.com

wekan/wekan/blob/master/snapcraft.yaml#L12


version: '5.37'
summary: The open-source kanban
description: |
   Wekan is an open-source and collaborative kanban board application.
   Whether you’re maintaining a personal todo list, planning your holidays with some friends, or working in a team on your next revolutionary idea, Kanban boards are an unbeatable tool to keep your things organized. They give you a visual overview of the current state of your project, and make you productive by allowing you to focus on the few items that matter the most.
   Depending on target environment, some configuration settings might need to be adjusted.
   For full list of configuration options call:
   $ wekan.help
confinement: strict
grade: stable
architectures:
  - amd64
plugs:
  mongodb-plug:
    interface: content
    target: $SNAP_DATA/shared

Some examples of managing settings here:

lonroth · August 9, 2021, 1:24am

How does this relate to the $HOME/snap/ directory for users?

xet7 · August 9, 2021, 2:03am

@lonroth

I would presume that only classic snaps can access $HOME/snap/ . But I have not read snapcraft source code, so I don’t know is this true or false.

For files at /var/snap/SNAPNAME/common/* , in strict sandbox it’s possible to write to that * directory with some programming language.

xet7 · August 9, 2021, 2:20am

@lonroth

About keeping passwords etc encrypted. I presume Snap itself does not have integrated encrypted keychain currently.

Some encryption and security options are discussed here:

Also this software has a way to encrypt database:

xet7 · August 9, 2021, 2:23am

Related Ansible Vault:

ogra · August 9, 2021, 9:40am

In fact $HOME/snap/<snapname>/current is the snaps home, all snaps can access this via the $SNAP_USER_DATA variable and $HOME will by default point to this directory at runtime. current is a symlink to a versioned directory, so that if you roll back and forth your snap revision (using snap revert and snap refresh), your $HOME will always find the exact data for the particular version.

Equivalently $SNAP_USER_COMMON points to $HOME/snap/<snapname>/common which is unversioned and should hold payload data of your snap that you do not want duplicated by version.

/var/snap/<snapname>/current and /var/snap/<snapname>/common are the system level equivalents to this (but only root writable since they live in /var where normal users can not write) and can be accessed through the $SNAP_DATA and $SNAP_COMMON variables.