https://github.com/jlpdeveloper/liquibase-security

Powershell module to keep secrets in keepass
https://github.com/jlpdeveloper/liquibase-security

keepass2 liquibase security

Last synced: 3 months ago
JSON representation

Powershell module to keep secrets in keepass

• Host: GitHub
• URL: https://github.com/jlpdeveloper/liquibase-security
• Owner: jlpdeveloper
• License: bsd-3-clause
• Created: 2024-03-30T01:12:11.000Z (about 2 years ago)
• Default Branch: main
• Last Pushed: 2024-04-02T00:45:20.000Z (about 2 years ago)
• Last Synced: 2024-04-02T01:26:59.076Z (about 2 years ago)
• Topics: keepass2, liquibase, security
• Language: PowerShell
• Homepage:
• Size: 356 KB
• Stars: 1
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: readme.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# Liquibase Security PowerShell Module

## Description

This project was developed to eliminate the security issue of having usernames and passwords in a liquibase properties file. This problem is fixed by setting up a [KeePass 2](https://keepass.info/download.html) database to store the information, then using the commands to tell the module where your KeePass database is and to load username, password, and url from that database into liquibase command environment variables. 

## Setup

- Download KeePass 2

- Setup a new database named Liquibase

   - File -> New

   - Select the location for the database file. This will open the "Create Composite Key" Dialog

   - Uncheck the master password option

   - Check the "Show Expert Options" option

   - Set the Authentication Method to "Windows Account"

   ![compositekeydialog](./images/CreateCompositeMasterKey.png)

   - Add an `Environments` Group

   - Add an entry with a title corresponding to each environment. Your url should be the jdbc url that you would use in the liquibase properties file

At this point you should have a database that looks like the following:

![keepass](./images/KeepassExample.png)

*Note* if you use the same base connection information for different databases, replace your database name with `{{liquibase-database}}` in the KeePass entry. Add a line to the bottom of your liquibase.properties file like this:

```bash

liquibase.database=your-database-name

```

*Note* you may now specify a subpath in the liquibase properties file a KeePass sub path. For example if your secret is in `Liquibase/Environments/MySql`, you can specify the following to make it use that path

```bash

liquibase.secret.subpath=MySql

```

- Import the module to your powershell instance (I personally use an import in my profile)

- Your first time setup you'll need to run the following command:

```bash

SetupKeePass C:\path\to\keepass.kdbx

```

## Usage

To switch environments use the `LBSwitchEnvironments` command

```bash

LBSwitchEnvironments local

```

To view what environment you are in, use the `LBGetEnvironment` command

To clear the environment, use the `LBClearEnvironment` command

## Important Notes

- This requires the Database Name to be `Liquibase` and the Entry Group to be named `Environments`. If the KeePass database isn't set up exactly this way, this will not work!

- This will require you to be extra careful in checking which environment you are in

- Your liquibase.properties file should only requires

   - your changelog file

   - your database name

## Release Notes

### *V1.1.0*

- Added `liquibase.secret.subpath` as an option to add to liquibase properties to expand where to put the secrets in KeePass (`Liquibase/Environments` is still required as root)

- Reworked the code for the database name templating since that code is similar to secret subpath code