All your passwords, 2FA-Codes, digitaly sovereign, “Made in EU” … in KNIME!

KNIME Analytics Platform
1

Hi Knimers,

on yesterdays’ DataSummit in Munich we (DataNautics) published our first KNIME extension which offers a free Community Tier too!

Why?

Because we …

  1. have your roots in this community
  2. strongly believe digital soverignity is worth persuing
  3. security can always be improved

We all carry our passwords, 2FA tokens, secure notes and more in our pockets, on our Android and Apple devices. We use the keychains seemlessly across all PCs, tablets, smart watches and browsers … and now in KNIME too :wrapped_gift:

How?

Using passbolt, an open source and made in EU credential management tool, we developed nodes that provide a seemless integration to Knime. The passbolt-extension „in a nutshell“:

  1. Passwords, TOTP, notes and Custom Fields (Key-Value Pairs)
  2. Digitally sovereign, centrally managed (Audits, Policies, Auto-Expire etc.)
  3. Interoperable: One keychain … Browser, Mobil + KNIME!
  4. Open Source made in EU … and much more

Get started

260513-passbolt-and-KNIME
260513-passbolt-and-KNIME1080×608 92.5 KB

Any passbolt edition can be started with a few clicks, i.e. using Docker, on your desired hosting service. Though, for a limited time, we provide you access to our auto-deployment process to spin up a test instance free of charge in five minutes!

Get started by filling out this form. You will get:

  • 14-days free passbolt business trail
  • A free test-server withing 5 minutes!
  • 30 days pro-trail of the passbolt KNIME-Extension

For the company input, you might just enter “N/A”.

Workflow Examples

To provide all a head start we even have created example workflows:

We’d love to hear your feedback, the good, the bad the ugly :wink: Please do not hold back! If you got any questions, do not hesitate to ask either.

Best, Mike
CTO @ DataNautics GmbH - Your KNIME-Experts
Contact: info@datanautics.net // datanautics.net // +49(0)170-325 713 9 // Linkedin
Daten Automatisierung für Finanz-, Produktion-, IT- und Marketing-Prozesse mit KNIME

11 Likes
2

Hi, does the credentials works with Python Scripts nodes?

3

I don’t think you can pass a Credential to a Python node.
I did see you can add a Note to a resource in Passbolt and the retrieve this Note in String format with the Passbolt get Note node.

I am not sure if this is a good idea though, security wise…

4

Hi @angel_g,

great idea. Especially bcs. storing credentails in env-files or even worse as plain text hard coded in the workflow is just unnecessarily bad.

Whilst extraction of once decrypted credentials from heap can never be ruled out, the node port “Input object (pickled)” is comparibly bad as it appears to write plaintext to disk.

I checked the status quo about passbolt + python and did some investigations. After some back and forth I concluded that the input object port is still viable to use. I got a beta node running but still assessing it thoroughly. Will let you know once it’s ready to be shared.

Update

As promissed here is a new release 0.1.3 with two major enhancements:

  1. Python Scripting Support for Passbolt Credentials

    image
    image1133×1084 65.3 KB

  2. Confidential Mode to force purge credentials from heap
    The goal is to allow stricter alignment to how passbolt limits credential access (short lived tokens). After carefully evaluating the python support, I concluded that this would be a welcome feature.

    image
    image1039×791 53.3 KB

Requirements for Passbolt Python Scripting Support

The Credential to Python node in the knime-passbolt KNIME extension requires the companion Python package knime-passbolt-py to be installed in the KNIME-managed Python environment used by your Python Script nodes.

Install: pip install “knime-passbolt-py>=0.1.0”

The package provides the PassboltSecret object that Python Script nodes downstream of Credential to Python consume.

Source and issue tracker:

PyPI

Some high level details about the Confidential Mode

Credentials must exist as plaintext in memory at the moment a node consumes them. Under abnormal conditions (JVM crash, OS-level kill, an attacker-captured heap dump) the heap is not guaranteed to be zeroed as intended, leaving decrypted credential bytes recoverable from process memory.

On top of the existing zeroization discipline (defensive char copies, Arrays.fill on close, bundle-shutdown cleanup), Confidential Mode lets the user cap a credential’s residency time directly. When the configured TTL elapses after a node executes, the credential is securely wiped from memory.

Test Workflow

As before here is a test workflow to exstract the content of a password protected Word and PDF using Python. I

User: tset
Pass: drowssap

Best
Mike

4 Likes