You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, it is difficult to enforce secret lifecycle best practices on KV secrets in a secure manner. Three best practices are (1) secrets are not stale (2) the same secret isn’t reused in multiple paths (3) secrets are not in source code.
A component to enforce these best practices (external to Vault), would encounter some difficulties with the current KV mount today.
(1) Secrets are not stale
While KV metadata provides the age of a particular version of a secret, it does not provide information whether the current version is the same as a previous version of the secret. To ensure the case that a secret value has been updated, the component needs access to KV data. To check how long a secret remains unchanged, a component needs to compare values between different versions.
(2) Same secret isn’t reused in multiple paths
This again needs access to KV data. If secrets are not to be stored outside of the vault, it is resource intensive since each secret needs to be compared with every other secret.
(3) Secrets are not in source code
Source code scanners use heuristics – regexes and entropy. An improvement would be to scan source code directly and check directly whether the KV store contains those secrets.
To enforce all 3 parts, the current KV API requires the “component” to have read access to all secrets in the KV mount, which makes this component nearly as sensitive as Vault itself.
Here is our proposal, instead of relying on reading all secret values from KV, the component could use the salted hash of all the values from path, with a new API (//salt-hash/:path). The salt is similar to the salt in /sys/audit-hash
By providing such an API, we could 1) avoid security issues that a secret lifecycle management component has broad access to actual KV secrets 2) improve the policy management.
If a user wants to compare two secret versions, they now only need to compare the hashes of the two versions. It is also easy to compare the hashes of different secret paths to find secrets reused in multiple paths (and the enforce component can store hashes to save computation time). Finally, a source code scanner can generate hashes of candidate strings and use the hash to see if there is a match with an existing secret without accessing the secret.
Design of Change
A GetSaltHashValue handler was added to the salt path (//salt-hash/:path). A GetSaltHashValue request must be performed on an existing resource. If a key metadata entry exists without data, a 404 is returned. If no key metadata or data entry exists for the path requested, the GetSaltHashValue short circuits and will ultimately bubble up to a 404 within Vault's response handling logic. For an existing secret path with both data and metadata in place, when GetSaltHashValue is invoked, it will return the salt hash version of each attribute in the data object in json format. Meanwhile, GetSaltHashValue also takes one optional parameters as input, version number. If the parameters are not set, it will use the default version. For instance, if the version is not specified, it will by default use the latest version.
/kv/salt-hash:path
Request { "version" : 1 }
Response { "foo" : <salt hash of foo>, "value" : <salt hash of value> }
Policy in hclPath "kv/salt-hash/*" {capabilitiy = ["read"]}
The text was updated successfully, but these errors were encountered:
Overview
Currently, it is difficult to enforce secret lifecycle best practices on KV secrets in a secure manner. Three best practices are (1) secrets are not stale (2) the same secret isn’t reused in multiple paths (3) secrets are not in source code.
A component to enforce these best practices (external to Vault), would encounter some difficulties with the current KV mount today.
(1) Secrets are not stale
While KV metadata provides the age of a particular version of a secret, it does not provide information whether the current version is the same as a previous version of the secret. To ensure the case that a secret value has been updated, the component needs access to KV data. To check how long a secret remains unchanged, a component needs to compare values between different versions.
(2) Same secret isn’t reused in multiple paths
This again needs access to KV data. If secrets are not to be stored outside of the vault, it is resource intensive since each secret needs to be compared with every other secret.
(3) Secrets are not in source code
Source code scanners use heuristics – regexes and entropy. An improvement would be to scan source code directly and check directly whether the KV store contains those secrets.
To enforce all 3 parts, the current KV API requires the “component” to have read access to all secrets in the KV mount, which makes this component nearly as sensitive as Vault itself.
Here is our proposal, instead of relying on reading all secret values from KV, the component could use the salted hash of all the values from path, with a new API (//salt-hash/:path). The salt is similar to the salt in /sys/audit-hash
By providing such an API, we could 1) avoid security issues that a secret lifecycle management component has broad access to actual KV secrets 2) improve the policy management.
If a user wants to compare two secret versions, they now only need to compare the hashes of the two versions. It is also easy to compare the hashes of different secret paths to find secrets reused in multiple paths (and the enforce component can store hashes to save computation time). Finally, a source code scanner can generate hashes of candidate strings and use the hash to see if there is a match with an existing secret without accessing the secret.
Design of Change
A GetSaltHashValue handler was added to the salt path (//salt-hash/:path). A GetSaltHashValue request must be performed on an existing resource. If a key metadata entry exists without data, a 404 is returned. If no key metadata or data entry exists for the path requested, the GetSaltHashValue short circuits and will ultimately bubble up to a 404 within Vault's response handling logic. For an existing secret path with both data and metadata in place, when GetSaltHashValue is invoked, it will return the salt hash version of each attribute in the data object in json format. Meanwhile, GetSaltHashValue also takes one optional parameters as input, version number. If the parameters are not set, it will use the default version. For instance, if the version is not specified, it will by default use the latest version.
The text was updated successfully, but these errors were encountered: