Best practice for build-time secrets?

As long as you can deal with radical candor, there is no time like the present to get started.

There are a number of products which can help with this. Vault, HSM, and KMS are examples. But before proceeding, let’s acknowledge that we are playing with fire:

  • You have 20+ secrets that you are willing to share with us, and we therefore have an obligation to protect.
  • We provide you the ability to run the code of your choice on our machines with full access to these secrets.
  • You have a need to be able to run deploy from a platform that neither of us control.

If you search the web it is not hard to find examples of the damage that can occur once you lose access to your secrets. I’ll decline to provide links to competitor’s woes, but I will say that such links are not hard to find.

Now back to addressing your requirements. Fundamentally the problem is one of putting all of your secrets in one place, and then making it difficult to get access to those secrets. So the question reduces to: how difficult do you want to make it to get access to your secrets?

Circling back to your requirement: cope with having multiple secrets in a real-world scenario, I can describe how Rails does it: custom credentials. The approach is absurdly simple, yet brilliantly effective:

  • A script that you run that, given a single master secret, decrypts a file if it exists, launches an editor, and upon exit from that editor encrypts the result.
  • An API that can be called from the deployed machine to extract a named secret, making use of the one master key which is deployed as a platform secret.

We could take that one step further and write a small script that extracts all of the secrets in the file, sets environment variables, then launches your application. You would then only need to modify the CMD/ENTRYPOINT in your Dockerfile to run this script instead of launching your application directly.

Realize that I am trying to walk a fine line here. What I just described is something you could chose to do, and I’ve tried to make clear the risks you will be assuming if you do so. That being said, if you wish to explore this further, I would be glad to help either extracting and adapting this code from Rails or exploring how to make use of one of the many existing tools that can help you securely manage secrets.

2 Likes