There's an application that is capable of spinning up nodes for HA. All nodes need to be synchronized with a configuration file that contains the credentials of all the admins.
The current solution is through a RESTful GET request to pull the config file to the newly created node.
- The request is over HTTPS.
- The request requires admin authorization through an API token.
- The config file is not encrypted in transit (apart from being sent over HTTPS)
- The config file contains admin usernames in plain text
- The config file contains admin passwords in a HASH+SALT format
- All nodes need the full config file
The security of the configuration file and its contents is the main issue. The admin credentials more specifically.
The risk is someone being able to access the file in transit or over the REST API. For instance other admins can request this file and see all the admins usernames and their hash+salted passwords.
Is there a more secure way of doing this?