Static Secrets Definition
What Are Static Secrets?
Static secrets are the credentials that machines, applications, services, and humans use to access other applications, whose values remain the same for long periods of time. They come in multiple forms:
- Passwords
- SSL certificates
- SSH Keys
- Tokens
- API Keys
Other types exist as well, but secrets, in general, allow you to enter databases or have privileged access to certain accounts. They are necessary for apps to connect and share information within a business and must be changed regularly for security purposes.
Part of the job of a DevOps team is to create secrets and manage them in a vault, and the programs, apps, and end users read them from the vault for use.
Why Do You Need a Secrets Vault?
You have to work with hundreds or even thousands of different logins. If everyone used the same login, everyone would unsafely work with administrator privileges. Whenever you access third-party applications, you want to divide the privileges with individual user accounts.
You also don’t want to store your secrets as plain text. Whether it’s an SSH key for remote access, an API key, or a Lightweight Directory Access Protocol for enterprise directory access, storing any password as plaintext is never secure.
The solution is a centralized secrets management tool. Keeping everything in one place makes it easier to audit and check for vulnerabilities. Encryption is also available so that, even if a cybercriminal gains access to your data, he cannot use it without the static secret key. Even the backend never sees the unencrypted key.
Working with a vault simplifies the process. For example, say you want to generate and manage secrets for Google’s API. The general process works this way:
- The administrator creates policies for the DevOps teams, the apps, and the services of your business.
- The DevOps team creates the API key and database root certificates if applicable
- The apps read the API key, and the services involved read the database root certificate
You want to use a key/value secrets engine, which is used to store the API keys in a specified configured storage. This engine allows you to interact directly with the storage backend you choose. For instance, if you give a “read” command to the engine, it will convert it to a form that the backend understands.
Static Secrets Vs. Dynamic Secrets
Because static secrets are often shared among multiple applications and users, and are not meant to change, it can be difficult to audit usage or rotate the secrets. It’s also fairly easy to accidentally expose passwords this way.
For these reasons, many organizations opt for dynamic secrets that generate each time they are needed and expire quickly. Think of 2-Factor Authentication you use for some of your online accounts.
The DevOps secrets vault acts as a middleman between the end user and the application API, passing tokens for secret verification between both parties.