Encrypting password in multichain.conf file

+2 votes
Hi,

We are evaluating multichain product for a POC on blockchain and have a question. currently, i guess the rpcpassword is stored as a plain text in the multichain.conf file. This may not be secure practice as someone can read the file contents. Is there any support to use any encryption means to encrypt the password and store the encrypted password in this file? So, when making the API call the client will then have to use the same encryption key (e.g.: AES) to encrypt the plaintext password first and then post the request?

Thanks,
asked Sep 14, 2017 by anonymous

1 Answer

0 votes

This is not currently supported in MultiChain, but it would be possible to add a feature whereby the RPC API password was not stored on disk in clear text. This could be done by storing a hash of it (like Unix passwd files) or having each individual API request signed using a public key cryptography algorithm, so that each API request effectively needed a different password. Please contact us if you need this in the short term.

answered Sep 14, 2017 by MultiChain
Hi,

Thank you for your prompt response. You guys are fast :) . yes, storing hash value of the password does help. Could you share details if possible?

Also, I was thinking if one needs to invoke the APIs remotely, it should also have transport layer security considering that applications will currently invoke it over http. Would you be considering two-way SSL (Client cert based authentication) as a feature to be included in the future roadmap release? especially if you are planning for an enterprise release?

Thanks,
Diwakar
The API already supports SSL (although we haven't documented this, you can look up the documentation for Bitcoin Core to see how it works).

As for storing the password as a hash, we haven't implemented this, so I'm afraid it would require poking around in the source code.
Thank you for a quick reply !
...