IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [secrets-management]

44 questions
100
votes
12 answers

How do very big companies manage their most important passwords / keys?

Third-party password managers such as 1password, etc. are useful for people, businesses, etc. to store passwords. But I bet Facebook, Google, Twitter and other super big tech companies don't use such third-party services for their internal passwords…
Basj
  • 951
  • 2
  • 8
  • 16
27
votes
3 answers

Is an AWS "Access Key ID" a secret?

AWS's "Secret Key" is (obviously) a secret, but should an "Access Key" alone (without the corresponding secret key) be considered a secret too?
Daniel Serodio
  • 677
  • 2
  • 7
  • 13
18
votes
4 answers

Microsoft Word to secure stored data

I understand the purpose of Microsoft Word is not to store secret information. However, I would rather spread my secret information between a Password Manager and a Word document, each of which has separate secure passwords. Is a password-protected…
EML
  • 809
  • 5
  • 11
6
votes
2 answers

Vault Secret server best practices

Recently Hashicorp released a secrets management solution called Vault. It is a free and open source general secrets storage and secret generator, acting as a Vault for passwords, encryption keys, and hash salts. I am wondering if anyone has…
Goli E
  • 895
  • 1
  • 11
  • 20
6
votes
2 answers

IN OAuth 2.0, how is the client secret supposed to be kept secret?

Using most OAuth 2.0 flows, a client application can identify itself to the authorization server by means of a "client id" and "client secret." The OAuth 2 specification says that the client secret should indeed be kept secret. However, if the…
the_endian
  • 1,009
  • 1
  • 8
  • 17
5
votes
1 answer

Where to store secrets in .NET applications?

I have some secrets that need to be transferred from my .NET application to another. I am using the CNG DPAPI to encrypt these secrets, and I wish to find the most suitable place to store them (in this encrypted format) on my machine (from which I…
NLuburić
  • 294
  • 2
  • 9
4
votes
0 answers

Best practice for storing security tokens in source code

I have a PHP system and I need to store some tokens for operations like: Database username and password API token Keys for encryption It turns out that for a long time only I manage the source code, but soon other people will need to maintain the…
Tom
  • 163
  • 4
3
votes
2 answers

How to securely share a secret/ password by between n individuals, so that majority consensus is required to retrieve the password / secret?

The following constraints apply cannot use physical storage medium (such as Safe/ Vault) the service used to store secret/ password should be highly available and accessible from anywhere in the world.
kaushal
  • 177
  • 5
3
votes
1 answer

Can I use HashiCorp Vault to restrict access to credentials based on CIDR ranges?

This seems like a pretty simple use case, but it would depend on some pretty recently added functionality which I might not understand yet: A python script gets populated by configuration management on a few monitoring servers within a specific IP…
Nathan Basanese
  • 640
  • 1
  • 9
  • 20
2
votes
2 answers

How to do auth without user interaction in an enterprise environment?

We are building a Chrome Extension that will be force-installed on each employee's browser for the companies we work with. We currently use OAuth but many employees are forgetting to sign up. We are thinking of replacing OAuth with something that…
cypr
  • 21
  • 1
2
votes
3 answers

How can I pass secrets to a compromised container without the attacker being able to see them?

The most common method of passing secrets to a docker container is through ENVs. The problem is: Imagine that your docker container is hosting a HTTP server that can have a security exploit (like any software), that will give almost command line…
PedroD
  • 121
  • 3
2
votes
2 answers

Environment variables vs secrets managers

I am testing an in-development app locally. Currently I use environment variables to store JWT secrets and database usernames and passwords. I am interested in further securing this, and found out about secret managers (like Conjur). How is this…
theonlygusti
  • 207
  • 1
  • 2
  • 6
2
votes
2 answers

Alternatives to hardcoding or encrypting key material in source code

What is best practice as of 2019 for storing secrets inside applications? Sometimes in an app, you might need to access some web-resource or other asset that requires authentication or decryption. What is the best practice to achieve this? I've seen…
Woodstock
  • 679
  • 6
  • 20
2
votes
0 answers

Securing key generation by 3rd parties

I'm working on an IoT product that uses the cloud once finished. Each of these devices has a serial number, from which a key is derived. This key is then stored on the device itself and in the cloud. These two mechanisms are working flawlessly and…
Deserializer19
  • 31
  • 1
2
votes
1 answer

Is getpass.io secret-based artwork a threat?

When typing a secret keyword into Getpass, a little jdenticon is showing on the right, based on the secret that was entered. The FAQ on Getpass states the following about it : Did you notice that secret keyword is obscured? If yes, than this is a …
Arthur Attout
  • 205
  • 2
  • 5
1
2 3