Collaborate Disseminate
I’m working on upgrading a “legacy” infrastructure where a handful of PHP, Rails and Perl (CGI) applications are in use. Historically, these applications have been written with the database credentials sprinkled into all the … Continue reading Best practice for securing DB passwords for multiple web apps?
There seems to be a general recommendation to store secrets in the Hashicorp Vault instance (or similar key-management software) and avoid passing secrets via environment variables.
In what particular scenarios using Vault is… Continue reading What security advantages does Hashicorp Vault have over storing secrets (passwords, API keys) in environment variables?
In Java I can create a two way Hash function – if I implemented with MD5 I could write the methods toMD5Hash() and fromMD5Hash for a reversible process.
Further than that I could use TripleDes with key-based encryption in J… Continue reading What makes storing secrets in Hashicorp Vault different to using a two-way hash in Java? [on hold]
I have a server application (on dynamic infrastructure) which needs to retrieve a secret from Hashicorp Vault during startup.
Lets assume we need make this as secure as possible. From the docs and examples about AppRole auth… Continue reading Vault: How does AppRole authentication works?
Say one has a service provided by Consul, for which active.[name-of-service].service.consul is the link it provides to the active host leader for that service. How would I properly set up TLS to that .consul domain name?
For example, sup… Continue reading How can I add a custom domain to an SAN for a certificate for consul domains like active.vault.service.consul?
I had a friend say:
We’re securing our microservice with an HMAC derived from the private key in the jks file. [Where client and server shared the same private key]
I can understand the situation where you have an HMAC … Continue reading Is there value to signing microservice calls with an HMAC derived from the same private key?
I had a friend say:
We’re securing our microservice with an HMAC derived from the private key in the jks file. [Where client and server shared the same private key]
I can understand the situation where you have an HMAC … Continue reading Is there value to signing microservice calls with an HMAC derived from the same private key?
There is RESTful web-service which runs on Tomcat and takes private key from PostgreSQL database to sign some data. I am considering to use Vault project for private key management. As I understand, it stores private key in a… Continue reading Vault project for storing private keys
Disclaimer. I’m not even sure if the question is worded correctly in the title. Neither am I sure if I’m asking the right question. If there’s literature relevant to this topic, it’d be greatly appreciated.
I’m looking at ha… Continue reading Distributing private PKI CA Cert with public SSL CA? Any point?
Disclaimer. I’m not even sure if the question is worded correctly in the title. Neither am I sure if I’m asking the right question. If there’s literature relevant to this topic, it’d be greatly appreciated.
I’m looking at ha… Continue reading Distributing private PKI CA Cert with public SSL CA? Any point?