Add information about using password manager to get tokens securely.

reuteras · Nov 5, 2024 · 0ffca16 · 0ffca16
1 parent 5dabc02
commit 0ffca16
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -51,7 +51,7 @@ Enable-WindowsOptionalFeature -FeatureName "Containers-DisposableClientVM" -All
 
 For more information about Windows Sandbox look at the Microsoft page [Windows Sandbox][wsa].
 
-4. *GitHub classic token:* You also need a GitHub account to create a classic GitHub token. If you have a GitHub account you can create a token at [https://github.com/settings/tokens](https://github.com/settings/tokens). Select *Generate new token (classic)*. Give the token a name and change the default expiration. The token doesn't need any added rights.
+4. *GitHub token:* You also need a GitHub account to create a GitHub token. If you have a GitHub account you can create a token at [https://github.com/settings/tokens](https://github.com/settings/tokens). Select *Generate new token (Fine grained or classic)*. Give the token a name and change the default expiration. The token doesn't need any added rights.
 Remember to save the token in your password manager since you can't get the value again.
 
 The token is needed to avoid problems with rate limiting on GitHub since most of the tools are downloaded from there and you will be blocked otherwise and the downloads will fail.
@@ -84,7 +84,9 @@ Copy the file *config.ps1.template* to *config.ps1*.
 cp config.ps1.template config.ps1
 ```
 
-The file *config.ps1* is used by the scripts to specify token for MaxMind and GitHub. If you prefer not to save the GitHub token in *config.ps1* file you can enter it manually when you run **downloadFiles.ps1**.
+The file *config.ps1* is used by the scripts to specify token for MaxMind and GitHub. If you prefer not to save the GitHub token in *config.ps1* file you can enter it manually when you run **downloadFiles.ps1**. Another safer alternative is to use your password manager and enter the cli command to get the token from the password manager. Examples for 1Password are available in the file *config.ps1.template*.
+
+```PowerShell
 
 ## Download tools and enrichment data
 

diff --git a/config.ps1.template b/config.ps1.template
@@ -1,15 +1,21 @@
 # This file contains usernames and keys to download tools that should not be
 # available in the sandbox or VM when doing analysis.
+# You can use the `op` command to read the values from 1Password or similar tools
+# for your password manager of choice.
 
 # MaxMind GeoIP2 API key
 $MAXMIND_LICENSE_KEY = "YOUR KEY"
+# $MAXMIND_LICENSE_KEY = op read op://Private/MaxMind/api
 
 # IPinfo.io API key
 $IPINFO_API_KEY = "YOUR KEY"
+# $IPINFO_API_KEY = op read op://Private/IPinfo/api
 
 # GitHub API username and token
 $GITHUB_USERNAME = "YOUR GITHUB USERNAME"
+# $GITHUB_USERNAME = op read op://Private/github.com/username
 $GITHUB_TOKEN = "YOUR GITHUB TOKEN"
+# $GITHUB_TOKEN = op read op://Private/github.com/API-password
 
 # Burp Suite edition
 $BURP_SUITE_EDITION = "Community"