Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add ShareConfig Functionality for Secure Configuration Sharing to Bitwarden Self-Hosted (Bash) #228

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Add ShareConfig Functionality for Secure Configuration Sharing to Bitwarden Self-Hosted (Bash) #228

wants to merge 5 commits into from
+36 −0

Conversation

fer
Copy link
Contributor

@fer fer commented Mar 11, 2024

Description

Introduces the shareconfig functionality to the Bitwarden self-hosted setup script, enabling administrators to securely share their Bitwarden configuration files. The shareconfig command sanitizes sensitive information by redacting values associated with passwords and secrets before compressing the configuration files into a tar.gz archive. This ensures that critical information remains secure when configuration files need to be shared for troubleshooting or auditing purposes.

Features

  • Redacts sensitive information, including passwords and secret keys, in .conf, .env, .xml, and .yml files within the Bitwarden configuration directory.
  • Maintains the original directory structure in the compressed archive.
  • Generates a tar.gz archive of the sanitized configuration files, ready for secure sharing with support teams or for audit purposes.

Usage examples

To use this functionality, run the following command from the Bitwarden self-hosted script directory:

./bitwarden.sh shareconfig

This will generate a file named bitwarden-configs-redacted-<timestamp>.tar.gz in the current directory.

Testing

Please review this PR for inclusion in the next release of Bitwarden self-hosted. Your feedback and suggestions are welcome!

@bitwarden-bot
Copy link

Logo
Checkmarx One – Scan Summary & Detailsb2e1443f-e55d-46e8-b96b-a697bfa00ff9

No New Or Fixed Issues Found

@vgrassia
Copy link
Member

How do we make sure that secrets added to new and existing environment files are redacted?

@fer
Copy link
Contributor Author

fer commented Mar 13, 2024

How do we make sure that secrets added to new and existing environment files are redacted?

Thank you for bring this up. To ensure the dynamic redaction of secrets from .env files and others, we could enhance the shareconfig function with a more comprehensive and adaptable regex pattern matching system.

\b(?:PASSWORD|SECRET|KEY|TOKEN)\s*=\s*.+
\b(?:PASSWORD|SECRET|KEY|TOKEN)\s*:\s*.+

But still these patterns would be to catch common ways, they wouldn't cover still new situations. Open to new suggestions to investigate.

@keithhubner
Copy link
Contributor

As discussed, we should put a disclaimer on the script stating the files and values we have masked and that the user to verify there are no additional config files that container secrets. This ensures they are agreeing that there might be secrets that are still shared.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@fer @bitwarden-bot @vgrassia @keithhubner