Hey all,
This pertains to that by no means ending query of securing the credentials in manufacturing/staging envs.
I’m questioning if anybody want to remark / share their ideas in regards to the following strategy we’re pondering of taking.
Right here we go:
Throughout construct part, an encryption key’s generated and credentials are encrypted with it.
On deployment finish, throughout the instantiation the credentials are decrypted utilizing the supplied key, and the credentials are loaded into reminiscence. At this level the entire preliminary information are destroyed. The binary now generates a brand new encryption key an re-encrypts the credentials, each of that are saved in reminiscence. Newly encrypted credentials together with the important thing are solely dumped onto a filesystem if the appliance panics and requires to be restarted, at which level the identical cycle key rotation decryption/encryption occurs once more.
Do you suppose whether or not there may be any safety profit with this strategy?
There was comparable, now closed dialogue:
