Linqpad encrypted passwords in shared scripts best practice?
My team has a common git repo where we have a linqpad portable deployment setup (subfolders for queries/plugins, a ConnectionsV2.xml, etc
It works great except for sql auth since the encrypted passwords stored in the scripts are specific to the user/machine that last updated it (per FAQ, it's using the Windows Data Protection API).
One possible but less than ideal workaround is modifying the "Additional connection string parameters" to specifically add "Password=foo", but that means the cleartext password has to be checked in.
Is there a way to prevent different people from overwriting each other's encrypted passwords? Maybe store an array and each user gets an entry that's keyed to them for DPAPI needs (hash of sid? no idea)
@nescafe posted a script in https://forum.linqpad.net/discussion/311/copy-linq-files-to-another-computer to decrypt a connections file and then we could encrypt it on a target machine, but that's still mainly targeting each user keeping their own connections file.
Even trying to .gitignore the ConnectionsV2.xml (which I'd rather avoid, it's a very useful file to have checked in and availble) seems like it wouldn't be sufficient since the passwords in the script themselves would still be present.
FWIW some of the usage scenarios include machines that clone/pull the repo and then have a scheduled task to lprun, but one-time connection setups for such scenarios would be fine if possible.
Thanks!
It works great except for sql auth since the encrypted passwords stored in the scripts are specific to the user/machine that last updated it (per FAQ, it's using the Windows Data Protection API).
One possible but less than ideal workaround is modifying the "Additional connection string parameters" to specifically add "Password=foo", but that means the cleartext password has to be checked in.
Is there a way to prevent different people from overwriting each other's encrypted passwords? Maybe store an array and each user gets an entry that's keyed to them for DPAPI needs (hash of sid? no idea)
@nescafe posted a script in https://forum.linqpad.net/discussion/311/copy-linq-files-to-another-computer to decrypt a connections file and then we could encrypt it on a target machine, but that's still mainly targeting each user keeping their own connections file.
Even trying to .gitignore the ConnectionsV2.xml (which I'd rather avoid, it's a very useful file to have checked in and availble) seems like it wouldn't be sufficient since the passwords in the script themselves would still be present.
FWIW some of the usage scenarios include machines that clone/pull the repo and then have a scheduled task to lprun, but one-time connection setups for such scenarios would be fine if possible.
Thanks!
Comments
LINQPad should probably store another copy of the username and password in a separate local file when the connections file is portablized.