Questions tagged [secret-sharing]
The secret-sharing tag has no summary.
114 questions
1
vote
1
answer
278
views
Is it safe to publish encrypted secrets in a git repository?
Tools like Ansible Vault, CNCF SOPS or Chezmoi make it easiy to keep secrets encrypted in version control, so that you can publish the repository, but still use the secrets inside when deploying. This ...
- 13
2
votes
0
answers
400
views
Analyzing impact of leaked client_secret in Authorization Code Flow in Keycloak (CVE-2020-27838)
CVE-2020-27838 describes that Keycloak has an open endpoint where it's possible to obtain client_secret information, as shown in the example below:
/auth/realms/{realm}/clients-registrations/default/{...
- 21
0
votes
1
answer
737
views
What does it mean to store secret keys as an "environment variable" as opposed to hardcoded in the source code?
I see why it is obviously bad to store a secret key and client ID in the source code for a web application. However, how do you go about the alternative? Surely, that information has to be stored ...
- 123
5
votes
3
answers
5k
views
Best method to send credentials to clients
I'm constantly exchanging credentials with my clients for things like database servers, cloud accounts, etc. Neither I nor my clients, have time to implement a sophisticated method for secure ...
- 151
0
votes
1
answer
183
views
How to store ClientID and ClientSecret in a K8 Env
I am trying integrate our service with SSO. I have generated the ClientID and ClientSecret.
Is it a good security practice to store the ClientID and ClientSecret as a configmap? If not, what are the ...
- 73
1
vote
1
answer
197
views
What Criteria Should We Use to Determine What is and isn't a Secret?
Background:
We have product development teams, where each team has one or two QA engineers. They run tests from their local machines. Here is what they require:
Application credentials (a clientId ...
- 201
1
vote
1
answer
290
views
How does a TPM verify the identity of the calling process/service?
Any application can use a TPM chip to securely create and store cryptographic keys.
For example for Digital Rights Management (DRM) or for prevention of cheating in online games.
However, how can a ...
- 21
0
votes
1
answer
354
views
Is there a viable zero-knowledge approach for using oAuth to generate and manage private keys?
I've been doing a deep dive into how products like Web3Auth work under the hood and wonder if this is a viable approach to building applications where a user can have the convenience of using oAuth to ...
1
vote
2
answers
269
views
Encryption method for file that can only be read by program
I have a Python 3 program, and I’m having trouble finding an encryption method that will suit my needs.
Suppose the program is on a thumb drive. I would give the thumb drive to someone else, and they ...
- 113
1
vote
2
answers
368
views
API Client Secrets are Being Logged in Plaintext (PowerShell Logs)
I'm currently implementing a PowerShell script to call the Sophos API (https://developer.sophos.com/intro).
Write-Output "`nEnter the Sophos API key / client secret."
$ClientSecret = Read-...
1
vote
2
answers
558
views
Best and safest way to store secret key used for PKA on server?
I interact with some API's that use PKA and I'm looking for the safest / best-practice way to store my secret key. The approaches I know are for example:
Create a 0500 access directory on my server
...
- 161
0
votes
0
answers
399
views
Best Practice for retrieving secrets securely
So a company I work with currently is using a password management system that lets us retrieve the passwords for an application by providing a secure key to an API. Currently, the key is stored in ...
- 111
0
votes
0
answers
31
views
The difference between a virtual door-lock and a public key [duplicate]
The thing that helped me to understand what is a "public key" was to parallel it with a door lock:
The door lock is public in the sense that anyone can try to unlock it and the door key is ...
4
votes
2
answers
2k
views
Web-based secret manager using CryptoJS
I'm building an application, part of which will allow businesses to store secrets.
I'm looking at using CryptoJS (https://www.npmjs.com/package/crypto-js). This would encrypt everything on the client ...
- 143
1
vote
0
answers
224
views
Shamir secret sharing, is security reduced by chunking a secret into smaller blocks?
When using Shamir's secret sharing algorithm one has to define the size for the finite field over which the secret is split. I came across a few implementations, like secrets.js-lit, and as far as I ...
- 737