search

scidsg / hushline

Hush Line connects whistleblowers with organizations and people who can help.
https://hushline.app
GNU Affero General Public License v3.0
69 stars 20 forks source link

Better encryption key management #268

Open glenn-sorrentino opened 5 months ago

glenn-sorrentino commented 5 months ago

We're storing the encryption key in environment variables, but a more secure method might be beneficial in case of server compromise.

Some options:

brassy-endomorph commented 4 months ago

Suggestion to not have this in the milesone 1. Best Practices and Tidying Up as this is non-trivial and is fairly advanced. It would require us to run another service, and we'd need that service to do signing and decrypting, not just hand the key over to us on request.

rmlibre commented 1 month ago

What's the desired administrator experience for authenticating when starting up the server? Is it reasonable to assume the administrator can use a local password manager or a hardware security key? Those would be secure options to access a key encryption key (KEK) which then unlocks other keys & secrets in the database.

Some options:

  • AWS Secrets Manager
  • HashiCorp Vault
  • Azure Key Vault
  • Google Cloud Secret Manager
  • CyberArk Conjur
  • Docker Secrets
  • Bitwarden

I don't think the security model covers trusting remote third-parties with administrator secrets?