stevedunn / intellenum

Storing and Managing Secrets in Production

Intellenum employs various practices for secure management of sensitive information in production. This guide outlines the practices for handling secrets securely in the project.

Dockerfile Configuration

The secrets management begins at the container configuration level. Here is the relevant snippet from the Dockerfile:

FROM mcr.microsoft.com/dotnet/sdk:7.0

COPY . .

ENTRYPOINT [ "powershell.exe", "./Build.ps1" ]

When you build the Docker image, it’s crucial to avoid including sensitive information directly in the source code or Dockerfile. Instead, environment variables or secret management tools should be utilized to inject secrets during the container runtime.

Environment Variables

Secrets can be passed to the container as environment variables. This can be implemented in your Docker Compose or Kubernetes configurations. Here is an example using Docker Compose:

version: '3.8'
services:
  intellenum:
    image: your-intellenum-image
    environment:
      - AUTH_SECRET=${AUTH_SECRET}
      - DATABASE_PASSWORD=${DATABASE_PASSWORD}

In this setup, ${AUTH_SECRET} and ${DATABASE_PASSWORD} should be set in your host environment or through a secret management system.

PowerShell Integrations

Using PowerShell scripts, you can manage your secrets securely. For instance, you can access these environment variables in your Build.ps1 script like so:

$authSecret = $env:AUTH_SECRET
$databasePassword = $env:DATABASE_PASSWORD

# Use the secrets wherever necessary in your script
Write-Host "Using authentication secret..."
# Example logic that utilizes $authSecret

Recommendations for Secrets Management

  1. Do Not Hardcode Secrets: Never hardcode sensitive information directly in source files or the Dockerfile.

  2. Use a Secrets Management Tool: Leverage tools like Azure Key Vault, AWS Secrets Manager, or HashiCorp Vault to store and manage your secrets.

  3. Limit Access: Ensure that only the necessary services and personnel have access to these secrets. Implement role-based access control wherever possible.

  4. Audit and Rotate Secrets: Regularly audit who has access to your secrets, and rotate them routinely to reduce the risk of exposure.

  5. Use Encryptions: When storing secrets, ensure they are encrypted both at rest and in transit.

Summary

Utilizing environment variables, integrating PowerShell for source management, and adopting a strict secrets management policy are effective means of handling sensitive information in Intellenum’s production environment.

Source: Dockerfile