Encrypting passes for accounts stored in databases

Scenario:

CyberArk setup with a centos server thats running mysql. On the Centos server I have a table sys.tblUsers

ID - PK
Username - varchar
Password - varchar

I use ID as my primary key and am able to use DBString Service Account Platform and can successfully update my password for the 2nd record in my table.

The passwords are all plain text at the moment but I need to apply an encryption method to the record before saving it to the table.

If I am able to call a script method for the encryption (whatever it is) then I can modify the pass before saving it in mysql.

I have seen the ChangeCommand on the platform but I do not know the syntax or how to call a method and save the output using it.

Anyone done something similar or have some examples?

In Cookies I trust.

The ChangeCommand is the database-specific command to change an account’s password. You cannot execute scripts from the field.

You can reach out via Support Case and request our Extensions team modify the current CPM plugin your platform uses to the method or procedure you’d like customized. This will cost Professional Services hours to do, however.

This is the only way I know to accomplish what you’re asking.

1 Like

Thanks for the feedback Joe, as you can imagine we want to avoid professional services only because of the costs involved.

What if I have a script that does the encryption on the server and updates the password in the table for me, then I can make an account and just call the script from a pass change can I not?

1 Like

The problem is the mechanism that triggers that external script to kick off. We do not have a way of doing that.

We have encryption-as-a-service on our Conjur roadmap. I could foresee us being able to encrypt/decrypt “on-the-fly” through that service, but until that’s implemented, CyberArk’s Extensions team is really the only route I’m aware of at this time.

1 Like

allo allo how goes?

I have an update from one of the CA guys FInian:


Encrypt passwords: Passwords stored in configuration files can be encrypted using an external command.

Encrypt Passwords in Configuration Files:

  1. In the Platform Management page, select Service Account Platforms.
  2. Select the platform that will manage the service account, and click Edit; the service account settings page appears.
  3. Display the Additional Policy Settings, and specify the following parameters:
    ■ Encryption Command – The full path of the encryption command that will encrypt the password. The encryption file can be stored in any location on the CPM machine.
    ■ This command sends the current password as its parameter. For example, if you specify “C:\Program Files (x86)\CyberArk\Password Manager\bin\EncExe”, the actual command would be "C:\Program Files (x86)\CyberArk\Password Manager\bin\EncExe ", and the output would be the new encrypted password. If the current password parameter is empty, the original new password will be inserted in the file.
    ■ Encryption Regex - The regex parameter that handles the output of the Encryption Command parameter. If this parameter is not defined, it will behave as if “(.*)” has been specified. This parameter is only relevant when the Encryption Command parameter is defined.

The encryption executable needs to be able to take the password from the command line as it is run and output the encrypted password.

If you specify “C:\Program Files (x86)\CyberArk\Password Manager\bin\EncExe”, the actual command would be "C:\Program Files (x86)\CyberArk\Password Manager\bin\EncExe "

Example:
PS C:\Program Files (x86)\CyberArk\Password Manager\bin> .\EncExe

bxtfOGLDK8Q7c6IN4QaXtfNPpFYgJz9xi/NJyY5rOq8=

PS C:\Program Files (x86)\CyberArk\Password Manager\bin>

This leads me to believe I can do this and have a powershell script that takes an argument, modifies it, then spits out the modified string:

param([parameter(Position=0)]pass = ( Read-Host “Input password, please” ) )
$encrypted_passs = [string]$pass + “_1”
Write-Host $encrypted_passs

This would be the command and output from powershell:

PS C:\Users\James> .\encrypt.ps1 test
test_1

So now I need to test if I can call that from the CPM server in the PVWA, I am led to believe from the CA team that this can be done, kinda need it as storing plaintext passes in db’s is a big no no.

just an update, I have added it to the encryption method as a ps1 and tried to use the encryption but it does not work, I have asked for assistance and will update with what I get :slight_smile: