Storing secrets (tokens, passwords)


TiNas

15 posts in this topic Last Reply

Recommended Posts

I have multiple commands that require secrets/passwords which will be triggered with a cron and user scripts.

Example commands
'AWS_ACCESS_KEY_ID=ABCD AWS_SECRET_ACCESS_KEY=EF1234 aws'

'docker run -e "SOMESECRET=TOKEN" dockername'


I noticed the scripts live under /tmp folder, and looks like they get carried over on reboot/shutdown. Which sounds to me like the user scripts are stored on the USB.
So I dont feel comfortable with having my secrets (AWS keys, Telegram tokens, passwords) directly in the user scripts.

Was thinking of storing them on a separate encrypted hidden share in a .env or .secret file and just read them with grep/cat.

Where would be a good place to store them?

Link to post

The way I solved it right now is:

Created a hidden/not exported share named 'keys'.

really IMPORTANT to not export/share this share :)

 

Where I saved my text files like 'telegram' containing the tokens.

 

File content:

TOKEN=TOKENHERE

 

In my user scripts I use 'sed' to get the value from the file

 

like so

$(sed -n 's/^TOKEN=\(.*\)/\1/p' < /mnt/user/keys/telegram)

 

 

Example user script command I use

 

docker run -e "TELEGRAM_BOT_TOKEN=$(sed -n 's/^TOKEN=\(.*\)/\1/p' < /mnt/user/keys/telegram)" telegrambot

 

This way my telegram/aws and other secrets are stored on encrypted drives and not on the unencrypted USB.

Link to post

It all depends on your threat model.

What is the attack (or leak) scenario you are concerned with? Who is the potential attacker?

 

For some scenarios, I can't see why your solution is better than just keeping the secrets on your USB flash (i.e. somewhere under /boot).

For yet other scenarios, it might actually be better.

 

Note btw that the way you currently do it, a "ps" command would reveal the secret - try, in your case:

ps ax | grep docker

This may or may not be a problem (basically if someone is at the CLI level she can peek into your "keys" share) so again, all depends on your threat model.

Link to post
14 hours ago, doron said:

It all depends on your threat model.

What is the attack (or leak) scenario you are concerned with? Who is the potential attacker?

 

For some scenarios, I can't see why your solution is better than just keeping the secrets on your USB flash (i.e. somewhere under /boot).

For yet other scenarios, it might actually be better.

 

Note btw that the way you currently do it, a "ps" command would reveal the secret - try, in your case:


ps ax | grep docker

This may or may not be a problem (basically if someone is at the CLI level she can peek into your "keys" share) so again, all depends on your threat model.

 

Thanks for your reply Doron,

 

I know that if they have access to the terminal/NAS they can get the secrets. Which is not my concern.

 

The Threat I want to protect my secrets from, is when somebody physically would acquire the USB drive.
Its also just a feeling, having my secrets on any un-encrypted drive doesn't feel 'safe'.

Link to post

If your primary security concern is the USB drive, and your drive encryption key is not stored on the USB (which is the usual Unraid use case), then yes, this method does mitigate that threat.

 

[An ever-so-slightly-simpler way, if you're already keeping a file per program/docker, is to have that file be a script, which will just output the key/passphrase to stdout (as in "echo" or "printf"). Then, you just include it as "... TOKEN=$(/path/to/script) ]

Link to post

Ah if the encryption key from the drives is stored on the USB then this doesn't make a lot of sense to put the secrets on the encrypted data drives :)
I didn't know that the encryption lived on the USB. But makes sense now that I think of it.
Then I am wondering what is the point of encrypting the drives in the first place.. of course when they break down or you have to send them for RMA.

 

I need to enter a password whenever I start the unraid array. Does this mean the encryption key is stored on the USB? or is it useless without the password?

Is there a way to store the encryption key safely outside of the USB?

 

Maybe I am overly worried, But I just dont like having data unecrypted.

Edited by TiNas
Link to post
46 minutes ago, TiNas said:

Ah if the encryption key from the drives is stored on the USB then this doesn't make a lot of sense to put the secrets on the encrypted data drives :)
I didn't know that the encryption lived on the USB. But makes sense now that I think of it.

 

No it doesn't! My wording may have been confusing - sorry about that, I now see that my text in parenthesis can be read in two different ways...

The encryption key does NOT live on the USB by default - the default is to type in it during array startup. IF one does choose to use a keyfile, AND that keyfile is stored on the USB drive - THEN the rest applies.

Hope I'm more clear now...

 

 

Quote

I need to enter a password whenever I start the unraid array. Does this mean the encryption key is stored on the USB? or is it useless without the password?

No it does not, see above.

Edited by doron
Link to post
43 minutes ago, doron said:

 

No it doesn't! My wording may have been confusing - sorry about that, I now see that my text in parenthesis can be read in two different ways...

The encryption key does NOT live on the USB by default - the default is to type in it during array startup. IF one does choose to use a keyfile, AND that keyfile is stored on the USB drive - THEN the rest applies.

Hope I'm more clear now...

 

 

No it does not, see above.

 

aaah ok thanks :D

I have to put in my passphrase so I am save in that regard! :D

 

Then I think I will keep my secret like I described above on my encrypted drives, so they wont be acquired if anyone would acquire my physical USB drive.

 

Thanks for the info and help!!! :D

Link to post
4 minutes ago, TiNas said:

 if anyone would acquire my physical USB drive.

Best practice is to mount the USB stick inside the case, that way it can't easily get removed or damaged.

 

IDC to USB adapters are cheap.

Link to post
3 minutes ago, jonathanm said:

Best practice is to mount the USB stick inside the case, that way it can't easily get removed or damaged.

 

IDC to USB adapters are cheap.

 

Good option :) Will look into that.

Link to post
1 hour ago, jonathanm said:

Best practice is to mount the USB stick inside the case, that way it can't easily get removed or damaged.

i have negative experience with such config - you need very good airflow inside your case. my unraid usb started dropping offline time to time. i issued unraid key replace procedure, and new one drops again. after moving to outside, no problems so far.  

Link to post
1 minute ago, uldise said:

i have negative experience with such config - you need very good airflow inside your case. my unraid usb started dropping offline time to time. i issued unraid key replace procedure, and new one drops again. after moving to outside, no problems so far.  

Are you using a full size USB 2.0 stick like the kingston se9?

Link to post
51 minutes ago, uldise said:

yes, full size in USB A port - this port is on motherboard..

Ahh, I've had good luck taping the stick firmly to the case, that way it has a large heat sink area instead of sitting in stale air.

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.