Encrypt Plain Text Passwords in config.json

[shinomen]

I understand that the sensitive information inside of the database of the MeshCentral server can be encrypted using the instructions provided here: https://ylianst.github.io/MeshCentral/meshcentral/#database-record-encryption

However, is there already a way or can there be a way implemented where the passwords inside the config.json file for MeshCentral are encrypted?
I have recently been setting up a Duo2FA proxy for some other project and came across a feature they offer to do just what I'm asking.
https://duo.com/docs/authproxy-reference#encrypting-passwords

The link above explains how in their config file you can store "encrypted alternatives" for all passwords instead of plain text passwords by using their authproxy_passwd.exe tool. This would be great for the MeshCentral config.json file because if someone were to get access to the config.json file for MeshCentral they would not see any AMT Manager passwords, database encryption passwords, etc.

I understand that this would require a tool to hash the passwords and MeshCentral would then need to have support for decoding those encrypted passwords to be used, but I think it would be a great security feature to implement. Duo's "authproxy_passwd.exe tool" also has a feature where it can parse the config file and automatically encrypt any passwords found and update the field to reflect that it's an encrypted password instead of having to manually encrypt each password separately and paste it in. (it would be cool if you all could do that too :) )

Again, if the passwords in config.json for MeshCentral can already be converted from plain text to encrypted alternatives please let me know how to do that.

Thanks!

[si458]

Config.json must contain plain information unless an npm module says u can use encrypted passwords, etc

BUT

If i remember, you can actually load the Config.json directly from a database on startup, so in a sense, u can Encrypt the database data and still load the Config.json from the database which is also encrypted!

But its along the lines that you still need a very basic Config.json so meshcentral knows which database to load etc and also what the encryption password etc is, but during startup, it will then switch and load the full config.json from within that database!
(No, this doesn't mean it can reload on the fly, you still need to restart the service after u changed the file within your database)

I will check and msg bk later once I remember how to do it