Scenario:
- A web application (RoR 3.2) needs to talk with a remote web service (SOAP, using Savon gem).
- The web service requires username and password.
- Communication is SOAP, traffic is through a VPN (no SSL for SOAP).
- I need to store the password that the remote Web Service Admin gives me.
- The web service admin requires that I store the password in a secure way.
- When my web server calls the web service I need to use the original password in clear.
- Bcrypt is the best way to store passwords, but it is “one way”.
- I cannot send the encrypted password, I need a way to decrypt it in order to be able to send it to the web service.
This seems to be a “chicken-and-egg” problem.
Is there a way to securely store a password and be able to decrypt it for use in an automated service?
Any hint?
If the encrypted information needs to be sent as plain text how about using a strong reversible cipher, this is probably what the Web Service Admin meant.
You can add other info as a salt (using anything that’s well-known to you and can be applied algorythmically, say, a name) before encrypting using (for example) AES encryption.
Then you can store the encrypted password in a location of you choice.