If these passwords are required for system operation, then they must be available in the original (or equivalent) format for this system, either on disk or in memory. 100% protection is therefore impossible, but you can take some steps to limit your access.
First, make a list of who you trust and whom you do not trust:
- Who has physical access to the server, who owns the root password, and who accesses the account that owns this settings file, you need to trust them - there is nothing that you you can do to prevent them from accessing the file;
- If you do not trust other server users, securing the file with
chmod
is a means of limiting your access (this is a good thing to do anyway). I suggest 600
- the owner can read and write, the group and the others can not do anything.
- If you trust the operators, but want to avoid their accidental access to the data (eg, they have opened it to solve a problem, and have eventually seen the password), you may want to code them somehow, for example on base64.
- In all cases, keep this file inaccessible via the internet - either outside the root of your website / application, or be protected with access controls (eg
.htaccess
). >
Finally, an option for more "paranoid" cases (which may be necessary in case of extremely sensitive data, but most of the time is exaggeration) is to encrypt such sensitive data, requiring a password for its decryption. So by giving the boot on the system, the operator would enter this password, which would decipher the other data and store it in memory only - and preferably in a memory region that does not suffer swap . The obvious disadvantage of this approach is that if the server needs to be restarted the password will have to be supplied again - causing loss of availability if the authorized operator is not present.
A middle ground would be to use a hardware module to do this decryption, so the trust requirements boil down to those who have physical access to the machine (ie not even root ) could decrypt sensitive data ). It remains however the possibility of the root user to use a process to read the memory of another, but I do not know how feasible / likely this scenario is.