Any user of the API needs to authenticate and only sees the secrets for which he is authorized. It provides an API that gives access to secrets based on policies. It helps to address the chicken-egg problem and it comes with encryption. Wait, there's hope!ĭoing encryption right is tough, managing secrets is even harder if doing it yourself.
A restart of the application is no longer possible as the key is gone. Containers and microservices in the Cloud are known to be restarted once they crashed. Wiping the key works only for one application startup. The attack time-frame is reduced, but still the key was there. The time in which the key is available is shortened. One approach is putting the key in a hard to guess location before the application starts and wipe the key once it was read to memory. It's not possible to discover such leakage with online measure because data can be decrypted offline once it was obtained. Data needs to be re-encrypted and credentials need to be changed. The key is static so a leaked key requires the change of keys. That person can decrypt data which is decryptable by this key. Someone who is not authorized could get access to the decryption key by having access to the machine.
Storing a decryption key gives the application the possibility to decrypt data.
Now, where do you put the key? Is the key protected by a passphrase? Where do you put the passphrase? On how many systems do you distribute your key and the passphrase?Īs you see, encryption introduces a chicken-egg problem. Encryption imposes on the other side the need for decryption on the user side which requires a decryption key to be distributed. Sensitive data can be encrypted by using the Spring Cloud Config Server or TomEE.Įncrypted data is one step better than unencrypted.
In fact, it must not be stored in plaintext in any location. It mustn't be available in plaintext in easy to guess locations. Passwords, API keys, secure Tokens, and confidential data fall into the category of secrets. Let's take a look at Hashicorp Vault and how you can use it to store and access secrets. Storing secrets the secure way is a challenge with limiting access and a true secure storage. Passwords, API keys and confidential data fall into the category of secrets.
0 kommentar(er)
