Hacker News new | past | comments | ask | show | jobs | submit login

This is a common issue, and many apps do this mistake.

Another common mistake is having /.git/ available on the domain itself, often with PHP sites or backend-less SPAs this is common, giving full access to the source, including those API keys. Even major sites do this – The Hill until recently had their git repo, including API tokens and access keys for everything, publicly available.




It should be mentioned that none of that should ever make its way into a Git repo in the first place. If a secret is committed to Git, it's compromised, period. Suck it up and generate a new secret.


Agreed ... use a pre-commit hook to scan your repository for high-entropy strings before they are forever enshrined in your history (https://github.com/dxa4481/truffleHog).


To be fair, though, history can be rewritten, albeit sometimes with some difficulty.


If a secret has ever been in Git then you probably can't know where it's been copied to and should treat it as likely to have been leaked.


Great idea! Thanks for linking to that tool.


Amen. https://12factor.net


only if your git is published.. I assume this is what you mean - that said:

separate integration repo containing encrypted keys + separate, manual managment/configuration of the decryption process is fine for most cases.

but yes, bare and in mainline and published, I will agree this is terrible.

see also:

http://docs.ansible.com/ansible/2.4/vault.html


No, you should never commit your secrets, not even to a private github repo, and not even to a privately hosted git server. Doing so increases your attack surface, sometimes in surprising ways.

Now, if your secrets are encrypted before being committed (using something like ansible vault) and the encryption key is not stored in the repo, that may be ok. However, you still need to be aware that any time you rotate that key, you also should to rotate every secret hidden behind that key.


So how do you do version the configuration management for the cluster that runs everything? It needs to be versioned, and yet with just the data in it you need to be able to recreate your entire environment from scratch.


If you want your secrets under version control, then they should be encrypted.

There are lots of ways of doing this. git-crypt is one that is configuration management agnostic. Most CM tools have their own way of dealing with secrets and there are CM agnostic tools like git-crypt. I'm not personally familiar with anything besides ansible-vault, but this article seems to provide a pretty good summary of several options: https://www.threatstack.com/blog/cloud-security-best-practic...


> Another common mistake is having /.git/ available on the domain itself, often with PHP sites or backend-less SPAs this is common

Yeah and same for .svn and .cvs (which may happen to include your VCS credentials in that directory, too).




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: