After doing some reading I have come up with the following points:Foreman has two types of passwords.
- passwords used to access a resource (Type A)
- passwords that are used for authentication (Type B)
Type A would be used for things like hypervisor and BMC credentials. While Type B are used for user login passwords to Foreman.
With Type A we need to be able to access the actual password (plaintext) while Type B is easier in that we only need to compare two computed hash strings.
Type B is easy to solve by using a library such as Bcrypt.
Type A on the other hand is more difficult because we would need to store a key or "master password" that unlocks all the Type A passwords. One theory is to store a master password using bcrypt that would be unlocked via the user or by magically computing via a crafty algorithm that uses the OS attributes to unlock the passwords without user interaction.
Bcrypt-ruby sounds like the best way to handle sensitive data with Type B passwords.
Bcrypt would allow us to secure sensitive data without having to worry about any keys to keep track of.
1. Generate the salt
2. compute the hash with the password and salt
3. Store the hash
4. store the salt in plaintext