Our great sponsors
-
sqlcipher
SQLCipher is a standalone fork of SQLite that adds 256 bit AES encryption of database files and other security features.
-
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
One option that I have been considering is creating a simple, encrypted SQL database (like SQLite & SQLcipher combo), that could be used to store & retrieve crypto secrets required in the release build pipeline. To manipulate this database, one needs to provide a password. This solution could be implemented as a microservice running on the build server, for example, in a dedicated docker container. To trigger a new release build, the user with the correct credentials could access the build server over our local network, and, if in a possession of the correct password required to decrypt the crypto database, trigger a release build.
Since we are using gitlab server internally for source code version control, I was wondering if I could use gitlab's CI/CD features in the design of the release build pipeline. Reading through the docs, I've found this link: https://docs.gitlab.com/ee/ci/secrets/. It mentions gitlab integration with Vault to distribute secrets to gitlab runners in a CI pipeline. The schematic in this link seems to suggest that gitlab runners authenticate themselves at the Vault, without user intervention. This would remove the need for the user to trigger the release build manually (by providing the password to be used by the build system to retrieve the private key). However, I am wondering about security implications of this kind of setup. What if one of the unauthorized employees gains root access to the server? Would he be able to use the infrastructure available to gitlab runner to simply query all crypto secrets from the Vault?
Related posts
- Terraform & HashiCorp Vault Integration: Seamless Secrets Management
- Keep it cool and secure: do's and don'ts for managing Web App secrets
- Kubernetes Secret Management
- AWS Secrets Manager for on-premise and other cloud accounts scaled architecture
- What are some basics that a lot of Sysadmins/IT teams miss?