Wednesday, March 27, 2024
HomeGolangEncrypting credentials config file in manufacturing with key rotation - Getting Assist

Encrypting credentials config file in manufacturing with key rotation – Getting Assist


Hey all,
This pertains to that by no means ending query of securing the credentials in manufacturing/staging envs.

I’m questioning if anybody wish to remark / share their ideas in regards to the following strategy we’re considering of taking.

Right here we go:

Throughout construct section, an encryption secret is generated and credentials are encrypted with it.

On deployment finish, throughout the instantiation the credentials are decrypted utilizing the supplied key, and the credentials are loaded into reminiscence. At this level the entire preliminary recordsdata are destroyed. The binary now generates a brand new encryption key an re-encrypts the credentials, each of that are saved in reminiscence. Newly encrypted credentials together with the important thing are solely dumped onto a filesystem if the applying panics and requires to be restarted, at which level the identical cycle key rotation decryption/encryption occurs once more.

Do you suppose whether or not there may be any safety profit with this strategy?

There was comparable, now closed dialogue:

Hello @blues_spare,

I’m not within the DevSecOps enterprise and thus not somebody to provide recommendation, but when I needed to discover a means of securing credentials for my apps, I would favor utilizing examined and confirmed instruments like Hashicorp Vault for managing all credentials and app secrets and techniques. Or if I determine on a specific cloud service, they normally have native instruments for that function.

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Recent Comments