<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    Thanks for pointing this project out, Sherif. <a
      moz-do-not-send="true" href="https://www.vaultproject.io/"><a class="moz-txt-link-freetext" href="https://www.vaultproject.io/">https://www.vaultproject.io/</a></a>
    looks heavy duty (you need to install a binary on your server, etc)
    and in-depth way to achieve the goal of encrypting configuration
    data.<br>
    <br>
    I do not know of many software frameworks that provide this
    capability out of the box other than .NET where you can encrypt
    sections of your Web.config file using DPAPI. If you know of other
    solutions to this problem I'd love to hear about it.<br>
    <br>
    Aloha,<br>
    Jim<br>
    <br>
    <div class="moz-cite-prefix">On 2/21/16 2:13 PM, Sherif Mansour
      wrote:<br>
    </div>
    <blockquote
cite="mid:CAMJg_ps8VHSqgdFybpwmFjvANaB-w+JGd8RYn_w+dgz74sQ3Qg@mail.gmail.com"
      type="cite">
      <div dir="ltr">Thanks Jim,
        <div><br>
        </div>
        <div>On the related topic of storing application credentials
          (i.e. how to store the credentials/tokens an application uses
          to authenticate to datastores and other apps etc..), has
          anyone investigated¬†<a moz-do-not-send="true"
            href="https://www.vaultproject.io/">https://www.vaultproject.io/</a>
          ? and if so what were your thoughts on it?</div>
        <div><br>
        </div>
        <div>Kind regard</div>
        <div>Sherif Mansour</div>
      </div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On Sun, Feb 21, 2016 at 7:18 PM, Jim
          Manico <span dir="ltr"><<a moz-do-not-send="true"
              href="mailto:jim.manico@owasp.org" target="_blank">jim.manico@owasp.org</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div bgcolor="#FFFFFF" text="#000000"> Hello folks,<br>
              <br>
              I made a significant update to the password storage
              cheatsheet (hat tip to John Steven) to mention the winner
              of the password hashing competition, <b>Argon2</b>. <br>
              <br>
              <a moz-do-not-send="true"
href="https://www.owasp.org/index.php?title=Password_Storage_Cheat_Sheet&diff=209303&oldid=203402"
                target="_blank">https://www.owasp.org/index.php?title=Password_Storage_Cheat_Sheet&diff=209303&oldid=203402</a><br>
              <br>
              This is a fairly significant change beyond the standard
              recommendations of using a salted PBKDF2, bcrypt or scrypt
              - or HMAC's at scale.¬† <br>
              <br>
              If you're into this sort of thing, check out <a
                moz-do-not-send="true"
                href="https://password-hashing.net/argon2-specs.pdf"
                target="_blank"><a class="moz-txt-link-freetext" href="https://password-hashing.net/argon2-specs.pdf">https://password-hashing.net/argon2-specs.pdf</a></a>.
              Various crypto libraries are working on production class
              implementations now, and should be ready sometime in
              2016/17. Worth putting on your radar.<br>
              <br>
              Aloha,<br>
              Jim Manico<br>
            </div>
            <br>
            _______________________________________________<br>
            OWASP-Leaders mailing list<br>
            <a moz-do-not-send="true"
              href="mailto:OWASP-Leaders@lists.owasp.org">OWASP-Leaders@lists.owasp.org</a><br>
            <a moz-do-not-send="true"
              href="https://lists.owasp.org/mailman/listinfo/owasp-leaders"
              rel="noreferrer" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
            <br>
          </blockquote>
        </div>
        <br>
      </div>
    </blockquote>
    <br>
  </body>
</html>