Compile a set of best practices for storing secrets #58
Labels
No Label
bugfix
cleanup
discussion
documentation
doing
done
feature
improvement
packaging
Stale
testing
TODO
No Milestone
No project
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: ungleich-public/cdist#58
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
As has been discussed in #cdist:ungleich.ch last week I open a ticket to compile a set of best practises to be added to the manual on how to handle secrets in cdist.
Generally I think it's safe to say that for any possible solution:
mentioned in merge request cdist-contrib!19
@fancsali The current situation is unsatisfactory for multiple reasons.
As far as the locations are concerned:
/var/lib/cdist
on targetThe password will be left there on the target. The directory is only accessible to
root
, though.So given that the password is likely going to be readable by root anyway, I (personally) can live with that.
$TMPDIR
on config hostDoes cdist clean up after itself? If not, it should.
tmp
on targetI don't think any other directory other than
/var/lib/cdist
(--remote-out-dir
) is used on the target.~/.cdist/cache
on config hostFrankly, I don't know what this cache is used for. Couldn't it be disabled?
On a general note: cdist could do a better job cleaning up after itself.
This would reduce the life time of secrets being available on the file system.
RAM-Disks could be used wherever possible to make sure that nothing is left on the disk at any time.
All of this would be good style and should be considered, but I personally store my secrets GnuPG-encrypted because I want to be able to commit them to Git.
This is what bothers me: secrets being persistently stored on one server.
Temporary copies should be limited as much as possible, but:
Who tells me that he won't modify any of the code to be executed on the target.
Moreover, if he can run commands he has root permissions on the target, too.
I've been thinking about this and I reckon, we leave the keys in a few places after a run:
/var/lib/cdist
tmp
location on the local machinetmp
on the server... or is my understanding actually a misunderstanding?
I handle secrets as follows:
In my
.cdist
I created a foldersecret
which represents a pass repository (PASSWORD_STORE_DIR=~/.cdist/secret pass init ...
).I have a shell function defined in
manifest/init
to retrieve passwords:In cases where the password is stored in plaintext on the target, using a password is as simple as:
(This will temporarily copy the password to the target's
/var/lib/cdist
. This is not optimal but since the secret is stored in plain text anyway, I personally don't consider this too much of an issue.)If the application on the target allows for encrypted or hashed storage of the secret (e.g. user passwords), another shell function can be used on the config host to transform the secret into the format required for the target application: