Secure storage of passwords and auth tokens
The authentication credentials for providers and the API keys for Radarr and Sonarr are stored in plain text. This is a critical security flaw and a very dangerous thing because it can compromise the security of multiple systems.
All credentials should be stored encrypted using a secure key, a certificate, or some sort of private key that is only known by the Bazarr installation instance.
Comments: 1
-
04 May, '21
Topper AdminEven if I agree that in general, password and token should be encrypted at rest, it's not something I plan to do. You should make sure to secure your config directory properly and it should be enough. I can't keep a private key or cert as I need to store it for decryption and an attacker would have access to it and decrypt your password... no gain. As Python isn't compiled, there' no place to store an encryption key in the code that is more secure than you config directory.
If you have an idea how to do it, I'm open to PR.