Secure what matters to your business.
There’s a lot to think about while working with containers, Kubernetes, cloud, and secrets. You have to employ and relate best practices around identity and access management and choose and carry out various tools.
Whether you’re a developer or a sysadmin professional, you need to make clear that you have the right choice of tools to keep your environments secure. Applications need access to configuration data in place to operate correctly. And while most configuration data is non-sensitive, some needs to remain confidential. These strings are known as secrets.
Don’t tell me you still have secrets in GitHub.
Well, If you’re building a reliable application, the chances are that your functions require you to access secrets or any other types of sensitive information you’re keeping.
These secrete may include:
- API keys
- Database credentials
- Encryption keys
- Sensitive configuration settings (email address, usernames, debug flags, etc.)
However, taking care of these secrets securely may later prove to be a difficult task. So here are a few tips for Developer and Sysadmins:
Patching function dependencies
Always remember to track the libraries used in the functions and flag the vulnerabilities by monitoring them continuously.
Employ API gateways as a security buffer
Don’t expose functions precisely to user interaction. Leverage your cloud providers’ API gateway capabilities to include another layer of security on top of your function.
Secure and verify data in transit
Be sure to leverage HTTPS for a secure communication channel and verify SSL certificates to protect the remote identity.
Follow secure coding rules for application code.
With no servers to hack, attackers will turn their minds to the application layer, so get extra care to protect your code.
Manage secrets in secure storage
Sensitive information can readily be leaked, and out-of-date credentials are apt to rainbow table attacks if you neglect to adopt proper secret management solutions. Remember not to store secrets in the application system, environment variables, or source code management system.
Key management in the cooperate world is very painful due to, among other reasons, a lack of knowledge and resources. Instead, some companies embed the encryption keys and other software secrets directly in the source code for the application that uses them, introducing the risk of exposing the secrets.
Due to the lack of too many off-the-shelf solutions, many companies have sought to build their own secrets management tools. Here are a few you can leverage for your requirements.
HashiCorp Vault is a tool for securely storing and accessing secrets.
It provides a unified interface to secret while maintaining tight access control and logging a comprehensive audit log. It is a tool that secures user applications and bases to limit the surface space and attack time in a breach.
It gives an API that allows access to secrets based on policies. Any user of the API needs to verify and only see the secrets they are authorized to view.
Vault encrypts data using 256-bit AES with GCM.
It can accumulate data in various backends such as Amazon DynamoDB, Consul, and much more. Vault supports logging to a local file for audit services, a Syslog server, or directly to a socket. Vault logs information about the client that acted, the client’s IP address, the action, and at what time it was performed
Starting/restarting always involves one or more operators to unseal the Vault. It works primarily with tokens. Each token is given to a policy that may constrain the actions and the paths. The key features of the Vault are:
- It encrypts and decrypts data without storing it.
- Vault can generate secrets on-demand for some operations, such as AWS or SQL databases.
- Allows replication across multiple data centers.
- Vault has built-in protection for secret revocation.
- Serves as a secret repository with access control details.
AWS Secrets Manager
You expected AWS on this list. Didn’t you?
AWS has a solution to every problem.
AWS Secrets Manager lets you quickly rotate, manage, and retrieve database credentials, API keys, and other passwords. Using Secrets Manager, you can secure, analyze, and manage secrets needed to access the AWS Cloud capabilities, on third-party services and on-premises.
Secrets Manager enables you to manage access to secrets using fine-grained permissions. The key features of AWS Secrets Manager are:
- Encrypts secrets at rest using encryption keys.
- Also, it decrypts the secret, and then it transmits securely over TLS.
- Provides code samples that help to call Secrets Manager APIs
- It has client-side caching libraries to improve the availability and reduce the latency of using your secrets.
- Configure Amazon VPC (Virtual Private Cloud) endpoints to keep traffic within the AWS network.
Akeyless Vault is a unified, end-to-end secrets management SaaS-based platform, protecting all types of credentials, both static & dynamic, including certificate automation and encryption keys. Besides, it provides a unique solution to secure remote access (zero-trust) to all the resources across legacy, multi-cloud and hybrid environments.
Akeyless protects secrets & keys using a built-in FIPS 140-2 certified and patented technology; it has zero knowledge of its customers’ secrets & keys.
The key features include:
- Globally available, SaaS-based platform that offers a built-in high availability (HA) and disaster recovery (DR) by leveraging cloud-native architecture on top of a multi-region and multi-cloud service.
- Advanced secrets management provides a secure vault for static & dynamic secrets such as passwords, credentials, API keys, tokens, etc.
- Akeyless Vault enables provisioning and injection of all types of secrets to all your servers, applications, and workloads, providing a wide variety of plugins that allow you to connect to all your DevOps and IT Platforms such as CI/CD, configuration management, and orchestration tools such as Kubernetes & Docker.
- SaaS – no deployment, installation, or maintenance is necessary
- Instant onboarding with automatic migration of secrets from known existing secrets repositories
The platform supports two more pillars:
- Zero-Trust Application Access (AKA Remote Access) by providing unified authentication and just-in-time access credentials, allowing you to secure the perimeter-less applications and infrastructure.
- Encryption as-a-Service, allows customers to protect sensitive personal & business data by applying advanced FIPS 140-2 certified app-level encryption.
Square Keywhiz helps with infrastructure secrets, GPG keyrings, and database credentials, including TLS certificates and keys, symmetric keys, API tokens, and SSH keys for external services. Keywhiz is a tool for handling and sharing secrets.
The automation in Keywhiz allows us to seamlessly distribute and set up the essential secrets for our services, which requires a consistent and secure environment. The key features of Keywhiz are:
- Keywhiz Server provides JSON APIs for collecting and managing secrets.
- It stores all secrets in memory only and never recurred to disk.
- The UI is made with AngularJS so users can validate and use the UI.
Confidant is an open-source secret management tool that maintains user-friendly storage and access to secrets securely. Confidant stores secrets in an append way in DynamoDB, and generate a unique KMS data key for every modification of all the secret, using Fernet symmetric authenticated cryptography.
It provides an AngularJS web interface that provides end-users to efficiently manage secrets, the forms of secrets to services, and the record of changes. Some of the features include:
- KMS Authentication
- At-rest encryption of versioned secrets
- A user-friendly web interface for managing secrets
- Generate tokens that can be applied for service-to-service authentication or to pass encrypted messages between services.
Let me introduce you to SOPS, an incredible tool I recently discovered. It’s an encrypted file editor that supports formats like YAML, JSON, ENV, INI, and BINARY. The best part? It can encrypt your files using AWS KMS, GCP KMS, Azure Key Vault, age, and PGP.
Now, here’s where it gets interesting. Imagine you’re working on a machine that doesn’t have direct access to encryption keys like PGP keys. No worries! SOPS has got you covered with its key service feature. You can grant SOPS access to encryption keys stored on a remote machine by forwarding a socket. It’s like having your very own portable GPG Agent!
SOPS operates on a client-server model for encrypting and decrypting the data key. By default, it runs a local key service within the process. The client sends encrypt or decrypt requests to the key service using gRPC and Protocol Buffers. Don’t worry; these requests don’t contain any cryptographic keys, public or private.
I must emphasize that the key service connection currently lacks authentication or encryption. Authenticating and encrypting the connection through other means, such as an SSH tunnel, is highly recommended to ensure security.
But wait, there’s more! SOPS can generate audit logs to track file access in your controlled environment. When enabled, it records decryption activity in a PostgreSQL database, including the timestamp, username, and decrypted file. Pretty neat, right?
Additionally, SOPS offers two handy commands for passing decrypted secrets to a new process: exec-env and exec-file. The former injects the output into the environment of a child process, while the latter stores it in a temporary file.
Remember, the file extension determines the encryption method used by SOPS. If you encrypt a file in a specific format, be sure to retain the original file extension for decryption. It’s the easiest way to ensure compatibility.
SOPS draws inspiration from tools like hiera-eyaml, credstash, sneaker, and password store. It’s a fantastic solution that eliminates the hassle of managing PGP-encrypted files manually.
Azure Key Vault
Hosting your applications on Azure? If yes, then this would be a good choice.
Azure Key Vault enables users to manage all secrets (keys, certificates, connection strings, passwords, etc.) for their cloud application at a particular place. It is integrated out of the box with origins and targets of secrets in Azure. Applications outside Azure can further utilize it.
You can also improve performance by cutting down the latency of your cloud applications by storing cryptographic keys in the cloud instead of on-premises.
Azure can help to achieve data protection and compliance requirement.
Docker secrets let you easily add the secret to the cluster, and It is only shared over mutually authenticated TLS connections. Then data is reached to the manager node in Docker secrets, and it automatically saves into the internal Raft store, which ensures that data should be encrypted.
Docker secrets can be easily applied to manage the data and thereby transfer the same to the containers with access to it. It prevents the secrets from leaking when the application uses them.
Knox, was developed by the social media platform Pinterest to solve their problem with managing keys manually and keeping an audit trail. Knox is written in Go, and clients communicate with the Knox server using a REST API.
Knox uses a volatile temporary database for storing keys. It encrypts the data stored in the database using AES-GCM with a master encryption key. Knox is also available as a Docker image.
From startups to enterprises, thousands of organizations use Doppler to keep their secret and app configuration in sync across environments, team members, and devices.
There is no need to share secrets over email, zip files, git, and Slack; allow your teams to collaborate so that they have it instantly after the addition of the secret. Doppler gives you a relaxed feeling by automating the process and saving time.
You can create references to the frequently used secrets so that a single update in some intervals will do all your work. Use the secrets in Serverless, Docker, or anywhere, Doppler works with you. When your stack evolves, it remains as it is, allowing you to go live within minutes.
Doppler CLI knows everything about fetching your secrets based on your project directory. Do not worry if anything changes, you can easily roll back the broken modifications in a single click or via CLI and API.
With Doppler, work smarter rather than harder and get your secret management software for FREE. If you seek more features and benefits, go with a starter pack at $6/month/seat.
I hope the above gives you an idea about some of the best software to manage application credentials.
Next, explore digital assets inventory and monitoring solutions.