Database Security vulnerability

[amitaverma82]

I am using Ory Hydra. For security purpose we dont want to give Database password in plain text in hydra-config.yml. Is there any way to pass database as encrypted password?

[vinckr]

Hello @amitaverma82

There are a couple of solutions you could consider :

• Kubernetes Secrets: If you're deploying Ory Hydra on Kubernetes, you can use Kubernetes Secrets to securely store and manage sensitive information like your database password. You can then reference these secrets in your Helm chart configuration when installing Ory Hydra. Here's an example of how to create a secret and use it in your Helm chart:

kubectl create secret generic my-secure-secret --from-literal=dsn=postgres://foo:bar@baz:1234/db
helm install \
 ...
 --set 'hydra.existingSecret=my-secure-secret' \
 ...
 ory/hydra

(Source: Ory Documentation)

• Environment Variables: Another approach could be to use environment variables to store your database password. This way, you're not hardcoding the password directly in your configuration file. Here's an example of how to set an environment variable and use it in your Docker command:

export DSN=postgres://hydra:secret@ory-hydra-example--postgres:5432/hydra?sslmode=disable
docker run -it --rm \
 --network hydraguide \
 oryd/hydra:v1.10.6 \
 migrate sql --yes $DSN

(Source: Ory Documentation)

Remember to always store your secrets securely and avoid exposing them in your logs or version control systems.