Collaborate Disseminate
The best example, would be the ~/.ssh folder, or the linux keychain.
Why is the ~/.ssh folder considered safe? When researching this, people said that the permissions of the folder would give enough security, since if someone then still ha… Continue reading How do programs store plain-text secrets securely? [duplicate]
I have an application that encodes data when writing it to a database, and unencodes it when reading from the database. The encoding is done with a symmetric algorithm using a fixed secret key.
I’m imagining a situation where an attacker h… Continue reading How much does manually entering a key at process start help?
I see why it is obviously bad to store a secret key and client ID in the source code for a web application. However, how do you go about the alternative? Surely, that information has to be stored somewhere. Is it stored in a local text fil… Continue reading What does it mean to store secret keys as an "environment variable" as opposed to hardcoded in the source code?
When I came to the topic of Ansible (Vault), when deploying secrets in Ansible and other passwords up to 128 characters Shamir’s Secret Sharing would be an ideal solution I think:
The secret is never in one spot
The secret can be encrypte… Continue reading Why don’t basically all "clusters" and similar distributed systems use Shamir’s secret sharing method? [migrated]
This is for an app service + database I am pushing up to Azure. I am using Key Vault + Managed Identity for the secrets. I have several connection strings in the secrets to ApplicationInsights, etc.
These connection strings have a key, pas… Continue reading What’s the tradeoff of storing a connection string vs the password as a secret?
I am trying to mount a secret in the pod securely. I have created the secrets with defaultMode: 0400 and runAsUser:1000. However when i am trying to access the secret in the container after doing exec in it, the secret file is owned by roo… Continue reading Mounting secrets with proper access control in kubernetes pods
I am trying integrate our service with SSO. I have generated the ClientID and ClientSecret.
Is it a good security practice to store the ClientID and ClientSecret as a configmap? If not, what are the alternatives for storing and using them?… Continue reading How to store ClientID and ClientSecret in a K8 Env
Background:
We have product development teams, where each team has one or two QA engineers. They run tests from their local machines. Here is what they require:
Application credentials (a clientId and a clientSecret), which enable them to… Continue reading What Criteria Should We Use to Determine What is and isn’t a Secret?
Pretty much what the title says. I have been playing around with discord webhooks lately and one problem I have discovered is that anyone with the webhook url/token can send messages. This means that if I were to write an application that … Continue reading Is it possible to authenticate a device with a server without the device knowing any sort of secret?
I’m a customer of a big KYC provider and am using their API. The process to authenticate at the API requires a secret key that they are sending to me by email. If I want to revoke the key and get a new one I have to send a mail to their su… Continue reading Sending secret API Keys via email