Questions tagged [secrets-management]
The secrets-management tag has no summary.
75 questions
2
votes
1
answer
92
views
How can I securely store and manage API keys in a multi-environment web application?
I’m developing a web application that requires interaction with multiple third-party APIs. I need to ensure that the API keys and secrets are stored securely and accessed safely by the application ...
- 125
1
vote
1
answer
424
views
Is it safe to publish encrypted secrets in a git repository?
Tools like Ansible Vault, CNCF SOPS or Chezmoi make it easiy to keep secrets encrypted in version control, so that you can publish the repository, but still use the secrets inside when deploying. This ...
- 13
1
vote
0
answers
110
views
Is it common for API providers to offer an endpoint to allow customers to make a key rotation using a secret? Are There Security Concerns?
We currently provide API keys to our users for authentication, but we do not support API key rotation (i.e., users must generate new keys manually).I’m trying to understand:
Is it common for API ...
3
votes
1
answer
546
views
Deriving multiple hashes from a single password for different use cases
I'm designing a service to store secrets without relying on traditional mail-password system.
I will describe this service to give a bit more context for my questions, at the end.
secret The payload ...
- 133
0
votes
2
answers
262
views
Is there a way to limit web server access by domain?
Currently, there is no way to use the OpenAI API (ChatGPT) from the frontend without exposing your secret key.
I wonder if there is a way to solve this. My thinking is: I would create a web server ...
- 101
1
vote
0
answers
256
views
Last.fm client application: How should secrets be handled
I am creating a browser(chrome) extension that will serve as a youtube-music last-fm scrobbler(detect songs and send them to last.fm).
I created a last.fm application(docs) which granted me
an api ...
- 111
1
vote
1
answer
171
views
Root takeover attack on Kubernetes host despite Vault agent
HashiCorp Vault Agent creates a sidecar that talks to the Vault server and injects secrets as files into containers, where the files are located under /vault/secrets/.
"render all defined ...
- 111
0
votes
0
answers
81
views
Intercept calls to authenticated 3rd-party APIs, to automatically add auth keys?
Is this a good approach to preventing the leakage of secrets?
Say I had a simple setup where Alice holds the secret to access Bob, and Charlie has basic shell access to Alice (with a different auth ...
- 113
1
vote
1
answer
109
views
Do credential stores have added value for API key protection on unsupervised system? If so, how?
I have recently been thinking deeply about the most secure ways to store credentials (like API keys) for use by unsupervised programs running on unsupervised servers. I have such systems and would ...
- 113
0
votes
0
answers
74
views
can non-rotatable secrets be stored in ciphertext form in a DB/file/etc.?
We have a service running on AWS. This service uses secrets such as API keys of third party services (in other words: secrets which do not rotate automatically). These secrets are stored in AWS ...
- 101
2
votes
2
answers
362
views
Securely store password for API sessions
Scenario:
I have a PHP web application that needs to make an API call using a password provided by the user. I want to temporarily store this password so I can use it across multiple requests without ...
- 21
0
votes
1
answer
319
views
Launch a process with secrets as environment variables
I have a process that needs secret keys to be passed as environment variables. That is for historical reasons.
I have a AWS machine where this process runs but I do not want to store these keys in ...
- 103
-1
votes
1
answer
332
views
How to use `docker secret` to prevent secrets from being seen in plain text by unauthorized individuals
I am exploring how to use docker secrets, but all the secrets are visible in plain text format to anyone who can use the docker command. How do I ensure all secrets are sufficiently protected and not ...
- 317
0
votes
1
answer
405
views
Wireguard client configuration file - confidential values
Given a Wireguard client configuration file, I guess some of the fields shouldn't be shared with just anyone, like the private key, right?
Is there any other field that should be treated as a ...
- 101
2
votes
0
answers
158
views
How are companies automatically rotating secrets such as API keys?
We currently rotate AWS-specific secrets via AWS Secrets Manager without much issue. However, we are looking to also rotate secrets e.g. API keys for specific services, but AWS Secrets Manager does ...
- 121