Options for encrypted configuration values with erlsrv.exe

Luke Bakken luke@REDACTED
Tue Jan 19 16:26:08 CET 2021


Hi Joseph,

As far as I know there is no out-of-the box solution for this since,
in general, non-encrypted certs are used for TLS-enabled distributed
Erlang or the password is specified in the ssl_dist_optfile file.

If a solution did exist for retrieving the password to decrypt the
certs how would it work? You would have to have some sort of
credential stored locally.

A better solution would be to add support for the Windows cert store
to the Erlang VM but I know of no plans to do so.

Thanks -
Luke

On Mon, Jan 18, 2021 at 12:10 AM Joseph L. Casale
<jcasale@REDACTED> wrote:
>
> Hello,
> I am using erlsrv.exe on Windows to run RabbitMQ as a service. The broker is
> configured to only expose tcp services through TLS. As a result the CA, certificate,
> private key and its password are specified in file passed to the ssl_dist_optfile
> parameter.
>
> In reading the docs, I see the options are to encrypt it with a passphrase and either
> include the passphrase directly or through a file, or via stdin.
>
> Does Erlang provide a facility to execute a script in order to obtain the password
> or passphrase when starting? Even with physical security, this will be a challenge
> without an additional level of security.
>
> Thanks,
> jlc


More information about the erlang-questions mailing list