Is it secure to store a copy of an encrypted file with omitted secrets alongside the encrypted file? #560
-
|
I didn't know how to phrase the question, but maybe an example clarifies what I am asking. apiVersion: v1
kind: Secret
metadata:
name: example
data:
foo: secretand I use age to encrypt the whole file, but I keep a copy of that file and replace "secret" with a dummy value and store both the encrypted content and the copy of the original version with dummy values together in a git repository; how secure would that be? I know sops uses age to encrypt an AES key, which is used to encrypt secrets, if I am not mistaken. That made me wonder if this is because of security or QoL, like easier key rotation? I hope that I don't embarrass myself with that question. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 3 replies
-
Storing the encrypted version of the secret file in Git is not a big issue, as long as you can keep your encryption key / password safe. Else, if the encryption material (key / password) is compromised, the attacker can extract the encrypted configuration file from any clone of your Git repository (assuming the Git repository is public) and decrypt it, thus leaking your secret. Thus, if your "secret" is something that can't be easily rotated, perhaps you shouldn't persist it long term anywhere where the attacker might extract it (like Git, backups, etc.). (When speaking about "rotation", I don't mean rotating the underlying encryption key (i.e. AES key) like in your SOPS example, but the actual "secret" your application uses.) However, storing also the unencrypted file with a dummy secret, I believe it to be very problematic: if during development (or when using the Git repository) you replace the dummy secret with the actual secret, then Git will always show that file as modified, and you are one typo away from committing that file to the repository. A somewhat safer alternative would be this:
This way, even if you by mistake commit to Git the unencrypted configuration file, it's actually a symlink, thus of no value for anyone, leaking only the path of your "safe folder". Note that a few months ago, someone opened a discussion thread about a project, based on Age, that targets exactly the problem you are talking about: #543 However, please also see some of the discussion threads I've opened in that project: |
Beta Was this translation helpful? Give feedback.
-
|
thanks for the long and detailed reply! |
Beta Was this translation helpful? Give feedback.
-
|
In your particular case, because you are also committing into the repository the configuration file with dummy values, there is practically no difference. (In your case there are dummy values, in case of If you were not to include in the repository the configuration file with dummy values, you get a bit of extra security through obscurity, because the attacker wouldn't know what you have decided to include in the configuration file. (Like for example which email service you use, etc.) However, as said that is only "obscurity", because the attacker could just look at the source code, and see exactly which keys are actually read. |
Beta Was this translation helpful? Give feedback.
-
|
true. Thank you for the clarification! |
Beta Was this translation helpful? Give feedback.
Storing the encrypted version of the secret file in Git is not a big issue, as long as you can keep your encryption key / password safe. Else, if the encryption material (key / password) is compromised, the attacker can extract the encrypted configuration file from any clone of your Git repository (assuming the Git repository is public) and decrypt it, thus leaking your secret.
Thus, if your "secret" is something that can't be easi…