Questions tagged [secrets-management]
The secrets-management tag has no usage guidance.
70 questions
1
vote
1
answer
86
views
Root takeover attack on Kubernetes host despite Vault agent
HashiCorp Vault Agent creates a sidecar that talks to the Vault server and injects secrets as files into containers, where the files are located under /vault/secrets/.
"render all defined ...
- 111
0
votes
0
answers
40
views
Intercept calls to authenticated 3rd-party APIs, to automatically add auth keys?
Is this a good approach to preventing the leakage of secrets?
Say I had a simple setup where Alice holds the secret to access Bob, and Charlie has basic shell access to Alice (with a different auth ...
- 113
1
vote
1
answer
39
views
Do credential stores have added value for API key protection on unsupervised system? If so, how?
I have recently been thinking deeply about the most secure ways to store credentials (like API keys) for use by unsupervised programs running on unsupervised servers. I have such systems and would ...
- 113
0
votes
0
answers
40
views
can non-rotatable secrets be stored in ciphertext form in a DB/file/etc.?
We have a service running on AWS. This service uses secrets such as API keys of third party services (in other words: secrets which do not rotate automatically). These secrets are stored in AWS ...
- 101
2
votes
2
answers
187
views
Securely store password for API sessions
Scenario:
I have a PHP web application that needs to make an API call using a password provided by the user. I want to temporarily store this password so I can use it across multiple requests without ...
- 21
0
votes
0
answers
70
views
K8s Secrets Store CSI Driver
Please note this question is specifically to this CSI driver infrastructure and NOT to the K8s Secrets infrastructure.
Reviewing this implementation with regards to some enterprise work. The ...
- 1,707
0
votes
1
answer
205
views
Launch a process with secrets as environment variables
I have a process that needs secret keys to be passed as environment variables. That is for historical reasons.
I have a AWS machine where this process runs but I do not want to store these keys in ...
- 103
-1
votes
1
answer
164
views
How to use `docker secret` to prevent secrets from being seen in plain text by unauthorized individuals
I am exploring how to use docker secrets, but all the secrets are visible in plain text format to anyone who can use the docker command. How do I ensure all secrets are sufficiently protected and not ...
- 307
0
votes
1
answer
211
views
Wireguard client configuration file - confidential values
Given a Wireguard client configuration file, I guess some of the fields shouldn't be shared with just anyone, like the private key, right?
Is there any other field that should be treated as a ...
- 101
2
votes
0
answers
130
views
How are companies automatically rotating secrets such as API keys?
We currently rotate AWS-specific secrets via AWS Secrets Manager without much issue. However, we are looking to also rotate secrets e.g. API keys for specific services, but AWS Secrets Manager does ...
- 121
0
votes
1
answer
563
views
What does it mean to store secret keys as an "environment variable" as opposed to hardcoded in the source code?
I see why it is obviously bad to store a secret key and client ID in the source code for a web application. However, how do you go about the alternative? Surely, that information has to be stored ...
- 123
1
vote
0
answers
201
views
What's the tradeoff of storing a connection string vs the password as a secret?
This is for an app service + database I am pushing up to Azure. I am using Key Vault + Managed Identity for the secrets. I have several connection strings in the secrets to ApplicationInsights, etc.
...
- 513
2
votes
1
answer
2k
views
Mounting secrets with proper access control in kubernetes pods
I am trying to mount a secret in the pod securely. I have created the secrets with defaultMode: 0400 and runAsUser:1000. However when i am trying to access the secret in the container after doing exec ...
- 53
0
votes
1
answer
116
views
How to store ClientID and ClientSecret in a K8 Env
I am trying integrate our service with SSO. I have generated the ClientID and ClientSecret.
Is it a good security practice to store the ClientID and ClientSecret as a configmap? If not, what are the ...
- 53
1
vote
1
answer
159
views
What Criteria Should We Use to Determine What is and isn't a Secret?
Background:
We have product development teams, where each team has one or two QA engineers. They run tests from their local machines. Here is what they require:
Application credentials (a clientId ...
- 201
1
vote
1
answer
187
views
Is it possible to authenticate a device with a server without the device knowing any sort of secret?
Pretty much what the title says. I have been playing around with discord webhooks lately and one problem I have discovered is that anyone with the webhook url/token can send messages. This means that ...
- 13
1
vote
1
answer
2k
views
Sending secret API Keys via email
I'm a customer of a big KYC provider and am using their API. The process to authenticate at the API requires a secret key that they are sending to me by email. If I want to revoke the key and get a ...
- 143
0
votes
0
answers
196
views
In a web application, what would you consider the best way to store secret keys obtained via an SDK?
Currently I am working on an application that requires secret keys to encrypt and sign information generated by the client and transmited over the wire, these keys are granted per user.
Currently when ...
- 1
1
vote
1
answer
214
views
Keeping customer secrets safe from sysadmins and devs in Kubernetes
I've spent a few weeks on GCP and GKE (Kubernetes) trying to figure out how to store customer secrets. The secrets are used by some application even when the user is not logged on so I want to ensure ...
0
votes
0
answers
27
views
Which is more secure: Certificate or Secret inside our Azure Active Directory App, and why? [duplicate]
Inside our Azure Active Directory, we have 2 options to secure our calls to the Active Directory App:
Secret
Certificate
Which option is more secure and why? Inside our applications which will be ...
0
votes
2
answers
1k
views
Whats the difference between secret and password managers?
Are there fundamental underlying differences in how secrets and passwords should be managed?
I'm curious of the technical/cryptographic differences between secret managers and password managers are. ...
1
vote
1
answer
255
views
Using AWS System Manager Parameter Store SecureString in config file in ec2
On an ec2 box I am running a service that reads vars from a config file. One var's value is stored in AWS System Manager as a SecureString. I want to use that value in the text file securely.
I can ...
- 11
1
vote
1
answer
566
views
How can I share web-platform credentials across multiple desktop apps on Windows?
I have two desktop apps, each authenticate against our server using OIDC in order to call our web api. Currently the users need to login independently in each application.
I noticed when using ...
- 113
0
votes
1
answer
184
views
Secret security in containerised environment
I've been having a discussion with a developer about storing sensitive information in environment variables. Specifically within a containerised environment such as Azures Container apps.
Background ...
- 123
2
votes
1
answer
497
views
How to secure Kubernetes secrets on bare metal?
(This question is based on a comment I made on How Vault agent solves Secret Zero challenge in Kubernetes?)
We are planning to run some of our software in a Kubernetes cluster running on bare metal (i....
- 121
4
votes
0
answers
515
views
Securely store application secrets in production without 3rd party KMS
Integrated Security
I have a ASP.NET web application with connection strings and other secrets to protect in production. Ideally I would like to use IntegratedSecurity to keep SQL credentials out of ...
- 41
1
vote
1
answer
105
views
Securely loading private tokens on a local machine
When doing local development, I have to export a token needed for downloading dependencies from a private repository. For example:
export NPM_TOKEN=token_value
I want to make sure that this token is ...
- 11
1
vote
2
answers
281
views
API Client Secrets are Being Logged in Plaintext (PowerShell Logs)
I'm currently implementing a PowerShell script to call the Sophos API (https://developer.sophos.com/intro).
Write-Output "`nEnter the Sophos API key / client secret."
$ClientSecret = Read-...
4
votes
0
answers
97
views
Best practice for storing security tokens in source code [duplicate]
I have a PHP system and I need to store some tokens for operations like:
Database username and password
API token
Keys for encryption
It turns out that for a long time only I manage the source code, ...
- 174
1
vote
2
answers
427
views
Best and safest way to store secret key used for PKA on server?
I interact with some API's that use PKA and I'm looking for the safest / best-practice way to store my secret key. The approaches I know are for example:
Create a 0500 access directory on my server
...
- 151
0
votes
0
answers
361
views
Best Practice for retrieving secrets securely
So a company I work with currently is using a password management system that lets us retrieve the passwords for an application by providing a secure key to an API. Currently, the key is stored in ...
- 111
0
votes
1
answer
793
views
Encrypting/Decrypting User Secrets with Password
I am designing an account system that will use salting/hashing to securely store and compare passwords. For now, I'm looking at using bcrypt for password hashing. Somewhere along the way I'll need a ...
- 103
3
votes
0
answers
416
views
How Vault agent solves Secret Zero challenge in Kubernetes?
HashiCorp Vault Agent creates a sidecar that talks to Vault server and injects secrets as files into containers. The agent presumably uses Kubernetes Service Account in some way. But ultimately there ...
- 195
0
votes
0
answers
210
views
What are the advantages of password "leasing"
One the Hashicorp Vault basic feature is secret leasing. They state:
Leasing and Renewal: All secrets in Vault have a lease associated with them. At the end of the lease, Vault will automatically ...
- 101
1
vote
1
answer
163
views
What is a pre-warmed secret?
As described here: https://tools.ietf.org/id/draft-ietf-oauth-security-topics-13.html#proposed-countermeasures-2
Note on pre-warmed secrets: An attacker can circumvent the
countermeasures described ...
- 123
2
votes
2
answers
491
views
How to do auth without user interaction in an enterprise environment?
We are building a Chrome Extension that will be force-installed on each employee's browser for the companies we work with.
We currently use OAuth but many employees are forgetting to sign up.
We are ...
- 121
2
votes
3
answers
322
views
How can I pass secrets to a compromised container without the attacker being able to see them?
The most common method of passing secrets to a docker container is through ENVs.
The problem is:
Imagine that your docker container is hosting a HTTP server that can have a security exploit (like any ...
- 121
4
votes
1
answer
1k
views
How bad is it to store credentials in clear text on disk and in memory?
Yeah, it depends. A good answer would provide some reflections on this. I have two concrete scenarios in mind, in two concrete (and I believe common) contexts. Context 1. At home, you’re the only one ...
- 193
3
votes
2
answers
807
views
How to securely share a secret/ password by between n individuals, so that majority consensus is required to retrieve the password / secret?
The following constraints apply
cannot use physical storage medium (such as Safe/ Vault)
the service used to store secret/ password should be highly available and accessible from anywhere in the ...
- 167
2
votes
2
answers
3k
views
Environment variables vs secrets managers
I am testing an in-development app locally.
Currently I use environment variables to store JWT secrets and database usernames and passwords.
I am interested in further securing this, and found out ...
user122565
0
votes
1
answer
3k
views
It's secure to store private keys in AWS Secret Manager?
I'm implementing a service that makes signs and sends transactions at the end of the day, this acts as a crypto exchange. The service creates for every new user a key pair (Private key with its public ...
0
votes
0
answers
226
views
Secure memory buffer
We are designing a Python application and we need to "load" encryption secret key in "memory" at the application boot.
It can be also an admin pin code. Anyway, just some data.
Our ...
- 101
3
votes
1
answer
2k
views
Is Python's `secrets` module using the same code as the `random` module?
The secrets module is marketed as a safe alternative to random for things that are meant to be secret. But what's the actual difference? Looking at their code, in some cases these libraries actually ...
- 31
18
votes
4
answers
7k
views
Microsoft Word to secure stored data
I understand the purpose of Microsoft Word is not to store secret information.
However, I would rather spread my secret information between a Password Manager and a Word document, each of which has ...
- 809
3
votes
2
answers
3k
views
is this a good practice for storing private keys?
I'm working on a centralized exchange for cryptocurrencies. the approach that I'm taking for some reasons is to create an account(private key) per user inside platform. so these accounts should be ...
- 33
-1
votes
1
answer
331
views
How to secure the key in an offline package
I have a package to be shared to Bob which contains:
an encrypted data.zip
Application, which will have logic to decrypt the data
Bob will run Application and it will decrypt the data.zip.
Now for ...
- 99
0
votes
1
answer
3k
views
Source of RegEx examples of Secret Detection patterns in repositories?
Where can I find RegEx that can pattern match common secret strings?
I have a product that scans repos and commits and in case a developer tries to commit a secret (i.e. passwords, keys). It scans for ...
- 21
98
votes
12
answers
19k
views
How do very big companies manage their most important passwords / keys?
Third-party password managers such as 1password, etc. are useful for people, businesses, etc. to store passwords. But I bet Facebook, Google, Twitter and other super big tech companies don't use such ...
- 953
1
vote
2
answers
248
views
Can a symmetric key be safely embedded anywhere in a .NET desktop client program
Is there a native way, that is, one not requiring the purchase of an expensive third-party obfuscator, that a .NET desktop client program, deployed to the users' Windows desktops from a LAN server ...
- 341
0
votes
0
answers
259
views
Encrypt files transparently from applications
Many CLI applications store or need secrets in plaintext files.
I'm searching preferably for a tool, or a methodology, to encrypt those files without the application knowing.
What do I mean by that :
...
- 101