[rabbitmq-discuss] Securing RabbitMQ

Alexandru Scvorţov alexandru at rabbitmq.com
Sat Jan 28 17:11:56 GMT 2012


Hi Paul,

> Is there any in-built support for encrypting/decrypting the at-rest messages in the queue? I suppose that producer could encrypt and consumer decrypt. But I was hoping to avoid a "roll your own" approach.

No, there isn't any in-built RabbitMQ feature to encrypt at-rest
messages.  You'll have to roll your own.  As a rule, RabbitMQ does *not*
modify (or inspect) the contents of received messages.

If you use SSL on both the producer and consumer sides, the only way for
an attacker to get the messages would be to gain access to machine
hosting RabbitMQ or to the network the RabbitMQ cluster is running on
(if there is a cluster).

So, are you planning against an attacker who has gotten his hands on an
offline machine with RabbitMQ on it?  I haven't tried, but I suppose you
could use an encrypted file system.  RabbitMQ stores messages and state
only in its mnesia database directory, so if you encrypt that, you
should be secure.

> I am trying to think about a rogue producer injecting meaningful messages into the queue, i.e., a message whose processing might return a valuable data resource. Then there's also the need to prevent someone from inspecting the queue with an eye to reverse-engineering message syntax.

I'm not quite sure I follow.  Could you elaborate?

Cheers,
Alex


On Sat, Jan 28, 2012 at 11:40:33AM -0500, Bell, Paul M. wrote:
> Hello again,
> 
> 
> 
> I have started reading http://www.rabbitmq.com/ssl.html, and it looks....reassuring. :)
> 
> 
> 
> Is there any in-built support for encrypting/decrypting the at-rest messages in the queue? I suppose that producer could encrypt and consumer decrypt. But I was hoping to avoid a "roll your own" approach.
> 
> 
> 
> I am trying to think about a rogue producer injecting meaningful messages into the queue, i.e., a message whose processing might return a valuable data resource. Then there's also the need to prevent someone from inspecting the queue with an eye to reverse-engineering message syntax.
> 
> 
> 
> Thanks.
> 
> 
> 
> -Paul
> 
> ________________________________
> 
> 
> ATTENTION: -----
> 
> The information contained in this message (including any files transmitted with this message) may contain proprietary, trade secret or other confidential and/or legally privileged information. Any pricing information contained in this message or in any files transmitted with this message is always confidential and cannot be shared with any third parties without prior written approval from Syncsort. This message is intended to be read only by the individual or entity to whom it is addressed or by their designee. If the reader of this message is not the intended recipient, you are on notice that any use, disclosure, copying or distribution of this message, in any form, is strictly prohibited. If you have received this message in error, please immediately notify the sender and/or Syncsort and destroy all copies of this message in your possession, custody or control.

> _______________________________________________
> rabbitmq-discuss mailing list
> rabbitmq-discuss at lists.rabbitmq.com
> https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss



More information about the rabbitmq-discuss mailing list