According to the Kerckhoffs' principle only secrecy of the key provides security, you should take great care of your secrets
In Tabulify, they come in 2 forms:
- secret value (for configuration)
- passphrase (to decrypt vault secret)
Environment
Development
In an development environment, a secret can be shared broadly because the data should have no secrecy character.
Production
In an production environment, the secret should be manipulated with care and be kept private.
How the secrets are distributed depend on your threat model.
There are generally 2 modes of distribution:
- via the environments (The application reads environment variable)
- read at start. The application makes a call at start to an external secret service to retrieve them and is authenticated via passphrase or other mean.
Storing configuration in the environment is one of the tenets of a twelve-factor app. Anything that is likely to change between deployment environments–such as resource handles for databases or credentials for external services–should be extracted from the code into environment variables.
Secret management is to broad to be kept in a single article, if you want more advice contact us.
Note on Wrapper script
If you choose to use a wrapper script to provide the secret (not recommended), the script should at minimum get the following permissions.
- executable (can be executed)
- no read (cannot be read by the user)
Example:
tabli --passphrase secret "$@"