Collaborate Disseminate
Please note this question is specifically to this CSI driver infrastructure and NOT to the K8s Secrets infrastructure.
Reviewing this implementation with regards to some enterprise work. The infrastructure handles a lot of internal sensiti… Continue reading K8s Secrets Store CSI Driver
I have a process that needs secret keys to be passed as environment variables. That is for historical reasons.
I have a AWS machine where this process runs but I do not want to store these keys in files or scripts on the cloud.
What is the… Continue reading Launch a process with secrets as environment variables
I am exploring how to use docker secrets, but all the secrets are visible in plain text format to anyone who can use the docker command. How do I ensure all secrets are sufficiently protected and not as readily accessible to unauthorized … Continue reading How to use `docker secret` to prevent secrets from being seen in plain text by unauthorized individuals
Given a Wireguard client configuration file, I guess some of the fields shouldn’t be shared with just anyone, like the private key, right?
Is there any other field that should be treated as a confidential value? I want to add the client co… Continue reading Wireguard client configuration file – confidential values
We currently rotate AWS-specific secrets via AWS Secrets Manager without much issue. However, we are looking to also rotate secrets e.g. API keys for specific services, but AWS Secrets Manager does not support this, and it seems that Hashi… Continue reading How are companies automatically rotating secrets such as API keys?
The best example, would be the ~/.ssh folder, or the linux keychain.
Why is the ~/.ssh folder considered safe? When researching this, people said that the permissions of the folder would give enough security, since if someone then still ha… Continue reading How do programs store plain-text secrets securely? [duplicate]
I have an application that encodes data when writing it to a database, and unencodes it when reading from the database. The encoding is done with a symmetric algorithm using a fixed secret key.
I’m imagining a situation where an attacker h… Continue reading How much does manually entering a key at process start help?
I see why it is obviously bad to store a secret key and client ID in the source code for a web application. However, how do you go about the alternative? Surely, that information has to be stored somewhere. Is it stored in a local text fil… Continue reading What does it mean to store secret keys as an "environment variable" as opposed to hardcoded in the source code?
When I came to the topic of Ansible (Vault), when deploying secrets in Ansible and other passwords up to 128 characters Shamir’s Secret Sharing would be an ideal solution I think:
The secret is never in one spot
The secret can be encrypte… Continue reading Why don’t basically all "clusters" and similar distributed systems use Shamir’s secret sharing method? [migrated]
This is for an app service + database I am pushing up to Azure. I am using Key Vault + Managed Identity for the secrets. I have several connection strings in the secrets to ApplicationInsights, etc.
These connection strings have a key, pas… Continue reading What’s the tradeoff of storing a connection string vs the password as a secret?