Secure what matters to your business.
There’s a lot to think about while working with containers, Kubernetes, cloud, and secrets. You have to employ and relate best practices around identity and access management in addition to choosing and carrying out various tools.
Whether you’re a developer or a sysadmin professional, you need to make clear that you have the right choice tools to keep your environments secure. Applications need access to configuration data in place to operate correctly. And while most configuration data is non-sensitive, some needs to remain confidential. These strings are known as secrets.
Well, If you’re building a reliable application, the chances are that your functions require to access secrets or any other types of sensitive information that you’re keeping. These secrete includes:
- API keys
- Database credentials
- Encryption keys
- Sensitive configuration settings (email address, usernames, debug flags, etc.)
However, taking care of these secrets securely may later prove to be a difficult task. So here are few tips for Developer and Sysadmins:
Patching function dependencies
Always remember to track the libraries that are used in the functions and flagging the vulnerabilities by monitoring them continuously.
Employ API gateways as a security buffer
Don’t expose functions precisely to user interaction. Leverage your cloud providers’ API gateway capabilities to include another layer of security on top of your function.
Secure and verify data in transit
Be sure to leverage HTTPS for a secure communication channel and to verify SSL certificates to protect the remote identity.
Follow secure coding rules for application code
With no servers to hack, attackers will turn their minds to the application layer, so get extra care to protect your code.
Manage secrets in secure storage
Sensitive information can readily be leaked, and out-of-date credentials are apt to rainbow table attacks if you neglect to adopt proper secret management solutions. Remember not to store secrets in the application system, environment variables, or in a source code management system.
Key management in the cooperate world is very painful due to, among other reasons, a lack of knowledge and resources. Instead, some companies embed the encryption keys and other software secrets directly in the source code for the application that uses them, introducing the risk of exposing the secrets.
Due to the lack of too many off the shelf solutions, many companies have sought to build their own secrets management tools. Here are a few, you can leverage for your requirements.
HashiCorp Vault is a tool for securely storing and accessing secrets.
It provides a unified interface to secret while maintaining tight access control and logging a comprehensive audit log. It is a tool that secures user applications and base to limit the surface space and attack time in the case of a breach. It gives an API that allows access to secrets based on policies. Any user of the API needs to verify and only see the secrets for which he is authorized to view.
Vault encrypts data using 256-bit AES with GCM.
It can accumulate data in various backends such as Amazon DynamoDB, Consul, and much more. For audit services, Vault supports logging to a local file, a Syslog server, or directly to a socket. Vault logs information about the client that performed an action, the clients IP address, the action, and at what time it was performed
Starting/restarting always involves one or more operators to unseal Vault. It works primarily with tokens. Each token is given to a policy that may constrain the actions and the paths. The key features of the Vault are:
- It encrypts and decrypts data without storing it.
- Vault can generate secrets on-demand for some operations, such as AWS or SQL databases.
- Allows replication across multiple data centres.
- Vault has built-in protection for secret revocation.
- Serves as a secret repository with access control details.
AWS Secrets Manager
You expected AWS on this list. Didn’t you?
AWS has a solution to every problem.
AWS Secrets Manager enables you to quickly rotate, manage, and retrieve database credentials, API keys, and other passwords. Using Secrets Manager, you can secure, analysis, and manage secrets needed to access capabilities in the AWS Cloud, on third-party services, and on-premises.
Secrets Manager enables you to manage access to secrets using fine-grained permissions. The key features of AWS Secrets Manager are:
- Encrypts secrets at rest using encryption keys.
- Also, decrypts the secret and then it transmits securely over TLS
- Provides code samples which help to call Secrets Manager APIs
- It has client-side caching libraries to improve the availability and reduce the latency of using your secrets.
- Configure Amazon VPC (Virtual Private Cloud) endpoints to keep traffic within the AWS network.
Square Keywhiz helps with infrastructure secrets, GPG keyrings, database credentials, including TLS certificates and keys, symmetric keys, API tokens, and SSH keys for external services. Keywhiz is a tool for handling and sharing secrets.
The automation in Keywhiz allows us to seamlessly distribute and set up the essential secrets for our services, which requires a consistent and secure environment. The key features of Keywhiz are:
- Keywhiz Server provides JSON APIs for collecting and managing secrets.
- It stores all secrets in memory only and never recurred to disk
- The UI is made with AngularJS so users can validate and use the UI.
Confidant is an open-source secret management tool that maintains user-friendly storage and access to secrets securely. Confidant stores secrets in an append way in DynamoDB, and generate a unique KMS data key for every modification of all the secret, using Fernet symmetric authenticated cryptography.
It provides an AngularJS web interface that provides end-users to efficiently manage secrets, the forms of secrets to services, and the record of changes. Some of the features include:
- KMS Authentication
- At-rest encryption of versioned secrets
- A user-friendly web interface for managing secrets
- Generate tokens that can be applied for service-to-service authentication, or to pass encrypted messages between services.
Strongbox is a handy tool which handles, store and retrieves secrets such as access tokens, private certificates, and encryption keys. Strongbox is a client-side convenience layer. It maintains the AWS resources for you, and it also securely configures them.
You can quickly check your entire set of passwords and secrets instantly and effectively, with the deep search. You have an option to either store the credentials locally or the cloud. If choosing a cloud, then you can choose to store in iCloud, Dropbox, OneDrive, Google Drive, WebDAV, etc.
Strongbox is compatible with other passwords safe.
Azure Key Vault
Hosting your applications on Azure? If yes, then this would be a good choice.
Azure Key Vault enables users to manage all secrets (keys, certificates, connection strings, passwords, etc.) for their cloud application at a particular place. It is integrated out of the box with origins and targets of secrets in Azure. It can further be utilized by applications outside Azure.
You can also use to improve performance by cutting down the latency of your cloud applications by storing cryptographic keys in the cloud, instead of on-premises.
Azure can help to achieve data protection and compliance requirement.
Docker secrets let you easily add the secret to the cluster, and It is only shared over the mutually authenticated TLS connections. Then data is reached to the manager node in Docker secrets, and it automatically saves into the internal Raft store, which ensures that data should be encrypted.
Docker secrets can be easily applied to manage the data and thereby to transfer the same to the containers which have access to it. It prevents the secrets from leaking when they are used up by the application.
Knox, developed by the social media platform Pinterest to solve their problem with managing keys manually and keeping an audit trail. Knox is written in Go, and clients communicate with the Knox server using a REST API.
Knox uses a volatile temporary database for storing keys. It encrypts the data stored in the database using AES-GCM with a master encryption key. Knox is also available as a Docker image.
I hope the above gives you an idea about some of the best software to manage application credentials.