Securing db_clients and redis_clients Parameters via Encrypted config.json

[ericjansen]

Hi Drogon team,

In the website I'm currently developing with Drogon, I'm aiming to enhance security by encrypting the contents of config.json, particularly the parameters for db_clients and redis_clients. My goal is to decrypt the file at runtime and pass the decrypted content as input to loadConfigFile() so that the file remains unreadable in its stored form.

I’ve successfully implemented this approach for custom_config. However, I’ve noticed that db_clients and redis_clients appear to be handled differently, as they are set within the load() function in src/ConfigLoader.cc:

void ConfigLoader::load()
{
    // std::cout<<configJsonRoot_<<std::endl;
    loadApp(configJsonRoot_["app"]);
    loadSSL(configJsonRoot_["ssl"]);
    loadListeners(configJsonRoot_["listeners"]);
    loadDbClients(configJsonRoot_["db_clients"]);
    loadRedisClients(configJsonRoot_["redis_clients"]);
}

Could you please advise on the best way to securely load encrypted values for db_clients and redis_clients, or whether there's a recommended hook or method to inject these values after decryption? Alternatively, could you help create a new function to support this use case—specifically, one that accepts a decrypted JSON object and applies the same configuration logic as load()?

Thank you in advance for your support.

Best regards,
Eric

[ericjansen]

@an-tao @marty1885

[an-tao]

 /// Load the configuration from a Json::Value Object.
    /**
     * @param data Json::Value Object containing the configuration.
     * @note Please refer to the configuration file for the content of the json
     * object.
     */
    virtual HttpAppFramework &loadConfigJson(const Json::Value &data) noexcept(
        false) = 0;

[ericjansen]

@an-tao thanks. I forgot about this abstract class.

[ericjansen]

Hi @an-tao,

It seems you imply me to override all functions of HttpAppFramework like HttpAppFrameworkImpl class. Do you have other better idea?
Thank you.

[an-tao]

I don't think you need to override all the functions. Just decrypt the configuration file into a plaintext string, convert it into a JSON object, and then call the loadConfigJson function.