Secrets management

🌐 This document is available in both English and Ukrainian. Use the language toggle in the top right corner to switch between versions.

1. General overview

Secrets management on the platform includes methods and procedures for securely creating, storing, and handling confidential information such as passwords, keys, and other important details. This practice plays an important role in ensuring that such data is not accessible to unauthorized individuals, which provides information security, avoids potential leaks, and increases trust in the security of the platform and its users.

2. Principles of Secrets Management

Data security is an integral part of a successful information strategy, especially when it comes to confidential information such as passwords, keys, and other secrets. The process of storing and handling secrets on the platform involves adhering to key security principles that provide reliable protection and prevent information leaks.

Encryption of Secrets: One of the fundamental principles of security is the use of powerful encryption algorithms to protect secrets during storage and transmission. Encryption reduces the risk of leaking confidential information by several orders of magnitude. When using encryption, it is important to consider the choice of reliable algorithms and the proper storage of keys for decryption.

Authentication and Authorization: The principles of authentication and authorization play an important role in managing access to secrets. Authentication verifies the identity of a user before granting access, preventing unauthorized entry. After authentication, the principle of authorization determines what actions and data an authenticated user can access. Restricting access to the minimum necessary operations and data reduces the risk of secret leaks due to unauthorized access.

These principles are the foundation for reliable storage and processing of secrets on the platform. Encryption ensures data confidentiality, while authentication and authorization control access and reduce the risk of illegal use of confidential information. By using these principles together, the platform can increase security and ensure trust for both its users and the system itself.

3. Secrets storage on the platform

Storage	Description
KeyCloak	Identity and authentication framework. From a security standpoint, it provides centralized access control, multi-level authentication capabilities, uses JSON web tokens for secure data transmission, allows for token customization, and interacts with other systems to protect account data. It ensures secure authentication and authorization on the platform. It mainly utilizes third-party identity providers but also stores passwords of service administrators.
Hashicorp Vault	This is a tool for ensuring security, secrets management, and protecting confidential information on the platform. It provides a centralized approach to storing and managing secrets, as well as dynamically generating keys for encrypting data. Vault utilizes important security mechanisms such as encryption, signatures, authentication and authorization, as well as access control. The registry platform includes three different Vaults - Central, Platform, and Registry - where corresponding confidential data is stored. More details here
Openshift Secrets	This is a secrets management mechanism within a container orchestration subsystem that provides a service for storing and transmitting confidential information, such as passwords, keys, tokens, and other secrets, in a secure way.
AWS KMS	This is a key management service that provides a secure way to create and manage cryptographic material in an AWS account. It is used for storing encryption keys of the central secrets management service on the platform.
HSM	A hardware-software component that provides secure storage of certificates and enables digital signature and stamp operations. More details here
Istio Citadel	Citadel is responsible for traffic security, encryption, authentication, and authorization. It creates and distributes certificates for each service in the network.

Storage

Description

KeyCloak

Identity and authentication framework. From a security standpoint, it provides centralized access control, multi-level authentication capabilities, uses JSON web tokens for secure data transmission, allows for token customization, and interacts with other systems to protect account data. It ensures secure authentication and authorization on the platform. It mainly utilizes third-party identity providers but also stores passwords of service administrators.

Hashicorp Vault

This is a tool for ensuring security, secrets management, and protecting confidential information on the platform. It provides a centralized approach to storing and managing secrets, as well as dynamically generating keys for encrypting data. Vault utilizes important security mechanisms such as encryption, signatures, authentication and authorization, as well as access control. The registry platform includes three different Vaults - Central, Platform, and Registry - where corresponding confidential data is stored. More details here

Openshift Secrets

This is a secrets management mechanism within a container orchestration subsystem that provides a service for storing and transmitting confidential information, such as passwords, keys, tokens, and other secrets, in a secure way.

AWS KMS

This is a key management service that provides a secure way to create and manage cryptographic material in an AWS account. It is used for storing encryption keys of the central secrets management service on the platform.

HSM

A hardware-software component that provides secure storage of certificates and enables digital signature and stamp operations. More details here

Istio Citadel

Citadel is responsible for traffic security, encryption, authentication, and authorization. It creates and distributes certificates for each service in the network.

4. Categories of Secrets

General name	Secrets type	Storage
Service administrator credentials	Passwords	KeyCloak
Secrets of external systems	Passwords, tokens, configuration	Hashicorp Vault
Registry secrets	Service administrator credentials, tokens, passwords	Hashicorp Vault
Secrets of internal systems	Passwords, tokens	Openshift secrets
Cryptographic material	Tokens, recovery keys, data encryption keys	Hashicorp Vault, Openshift secrets/etcd, AWS KMS
Digital signature-related data	Digital signature, stamp, certificates	Hardware and software cryptomodule
Inter-service communication secrets	Certificates	Istio Citadel

General name

Secrets type

Storage

Service administrator credentials

Passwords

KeyCloak

Secrets of external systems

Passwords, tokens, configuration

Hashicorp Vault

Registry secrets

Service administrator credentials, tokens, passwords

Hashicorp Vault

Secrets of internal systems

Passwords, tokens

Openshift secrets

Cryptographic material

Tokens, recovery keys, data encryption keys

Hashicorp Vault, Openshift secrets/etcd, AWS KMS

Digital signature-related data

Digital signature, stamp, certificates

Hardware and software cryptomodule

Inter-service communication secrets

Certificates

Istio Citadel

5. Procedures of Creating and Managing Secrets

Storage	Description of secret generation	The process of granting access and managing rights
KeyCloak	Secrets are created and managed by service administrators	Access to secrets is granted according to job responsibilities based on a role-based model
Hashicorp Vault	Secrets are created directly during the setup and creation of registries and their external integrations. Keys for unlocking and recovering platform and registry vaults are generated fully automatically without the involvement of a technical administrator.	Access to the storage is only granted to service technical users created to ensure the platform’s functioning. No one else is given access to the storage
Openshift Secrets	Secrets are created automatically when the registry platform is deployed	Access to secrets is regulated by roles and is granted only to platform or registry administrators and relevant service technical users
HSM	Secrets are loaded into the storage during the deployment and operation of the registry platform	Access to the hardware-software module is strictly controlled and granted only to the technical service user of the digital signature subsystem
AWS KMS	Creation of the recovery secrets for the confidential data storage is fully automated and occurs during the deployment of the registry platform.	Access to secrets is granted based on a role-based model of the cloud provider and only to environment administrators in case of urgent need
Istio Citadel	The root certificate is automatically created during the deployment of the platform. Trusted service certificates are automatically created after a service is allowed to participate in inter-service communication.	Access to microservices network administration is granted only to platform and registry administrators.

Storage

Description of secret generation

The process of granting access and managing rights

KeyCloak

Secrets are created and managed by service administrators

Access to secrets is granted according to job responsibilities based on a role-based model

Hashicorp Vault

Secrets are created directly during the setup and creation of registries and their external integrations. Keys for unlocking and recovering platform and registry vaults are generated fully automatically without the involvement of a technical administrator.

Access to the storage is only granted to service technical users created to ensure the platform’s functioning. No one else is given access to the storage

Openshift Secrets

Secrets are created automatically when the registry platform is deployed

Access to secrets is regulated by roles and is granted only to platform or registry administrators and relevant service technical users

HSM

Secrets are loaded into the storage during the deployment and operation of the registry platform

Access to the hardware-software module is strictly controlled and granted only to the technical service user of the digital signature subsystem

AWS KMS

Creation of the recovery secrets for the confidential data storage is fully automated and occurs during the deployment of the registry platform.

Access to secrets is granted based on a role-based model of the cloud provider and only to environment administrators in case of urgent need

Istio Citadel

The root certificate is automatically created during the deployment of the platform. Trusted service certificates are automatically created after a service is allowed to participate in inter-service communication.

Access to microservices network administration is granted only to platform and registry administrators.

6. Protection of Secrets

Storage	Preventive measures for loss, leakage, and unauthorized access to secrets
KeyCloak	The management interface is additionally protected by network access control. A reliable authentication mechanism is used, and the access control system is based on roles. Updating and using secure versions of the software follows a specific procedure. Data disks are encrypted. Regular backups are performed.
Hashicorp Vault	Token-based authentication integrated with the container orchestration subsystem. No access to the vault is granted to any platform user. A transitive, keyless encryption mechanism is used for the platform and registry vaults. This is centrally controlled to increase data security and reduce the risk of key compromise. A delegation mechanism for decrypting the central vault to a cloud secrets management service is implemented to increase security, reduce the risk of key leaks, and increase system reliability. Access control policies are implemented to separate privileges. Regular backups are performed.
Openshift Secrets	The management interface is additionally protected by network access control. Authentication is implemented. The secrets vault of the container orchestration subsystem is encrypted. An automatic cryptographic material rotation mechanism is in place. A role-based access control (RBAC) model is implemented. Regular backups are performed.
HSM	Hardware and software components are implemented. The communication channel is encrypted with a session key. Additional identification mechanisms are in place. Special authentication mechanisms are implemented. Access limitation mechanisms are in place.
AWS KMS	Separate identification and authentication model are implemented. Access control policies are based on a granular role-based model. Access logging and auditing mechanisms are in place.

Storage

Preventive measures for loss, leakage, and unauthorized access to secrets

KeyCloak

The management interface is additionally protected by network access control.
A reliable authentication mechanism is used, and the access control system is based on roles.
Updating and using secure versions of the software follows a specific procedure.
Data disks are encrypted.
Regular backups are performed.

Hashicorp Vault

Token-based authentication integrated with the container orchestration subsystem.
No access to the vault is granted to any platform user.
A transitive, keyless encryption mechanism is used for the platform and registry vaults. This is centrally controlled to increase data security and reduce the risk of key compromise.
A delegation mechanism for decrypting the central vault to a cloud secrets management service is implemented to increase security, reduce the risk of key leaks, and increase system reliability.
Access control policies are implemented to separate privileges.
Regular backups are performed.

Openshift Secrets

The management interface is additionally protected by network access control.
Authentication is implemented.
The secrets vault of the container orchestration subsystem is encrypted.
An automatic cryptographic material rotation mechanism is in place.
A role-based access control (RBAC) model is implemented.
Regular backups are performed.

HSM

Hardware and software components are implemented.
The communication channel is encrypted with a session key.
Additional identification mechanisms are in place.
Special authentication mechanisms are implemented.
Access limitation mechanisms are in place.

AWS KMS

Separate identification and authentication model are implemented.
Access control policies are based on a granular role-based model.
Access logging and auditing mechanisms are in place.

7. Audit and Monitoring

Periodic review of access and activities with secrets is a critical element of data security. This process includes auditing access to secrets, monitoring activities with them, detecting changes and anomalies. It helps to detect unusual actions in due time, prevent possible breaches, and ensure a high level of data security. Currently, this process is performed manually by the platform administrator.

8. Final provisions

Effective secrets management on the platform requires the collaboration of various stakeholders, each with their own responsibilities and duties.

The organization (owner) of the platform must establish access control and secrets management policies. Users, in turn, must adhere to security practices. This collaboration ensures reliable protection of confidential information and reduces security incident risks.

9. Additional information

arch:architecture/platform-secret-management/overview.html
arch:architecture/platform/operational/secret-management/overview.html
arch:architecture/registry/operational/secret-management/overview.html
arch:architecture/platform/operational/user-management/overview.html
arch:architecture/network-crypto-module/overview.html
arch:architecture/registry/operational/digital-signatures/overview.html
arch:architecture/platform/administrative/control-plane/registry-regulation-secrets.html
arch:architecture/platform-installer/installation-process.html