/
SPIKE: [MODINREACH-19] Approaches to securely store central server key/secret pair

SPIKE: [MODINREACH-19] Approaches to securely store central server key/secret pair

Owned by Andrii Khodyka
Last updated: Apr 07, 2021

Context

Jira Story

https://folio-org.atlassian.net/browse/MODINREACH-19

Spike goals

Find a way to securely store a central server key/secret pair

Proposed solutions:

1) Encrypted password in database (good enough solution, less effort)

Basically, central server key/secret pair is a Base64 encoded username and password, so we could store the pairs directly in our database, but we should not store them unencrypted, even if it’s in Base64 encoded.

As with a regular password, we could apply the following common pattern – one-way hashing + salting:

The storing a new key/secret pair:

  1. Hash a secret
  2. Add salt
  3. Store the hash and salt in the database

Checking an existing key/secret pair for validity:

  1. Get a key/secret from request (A)
  2. Get the hashed secret and salt by key from the database (B)
  3. Hash the secret (A)
  4. Add salt (A)
  5. Check if the hashed + salted secret (A) matches the secret (B) retrieved from the database

Spring framework provides all the required API and implementations for encoding (hashing) passwords, salting, etc.

2) External secret storage - HashiCorp Vault, AWS Key Manager (Better, generic solution, more effort)

Generic and safer solution. External secret storage controls all aspects of sensitive information: storage, usage, revocation, etc.

It provides the following:

  • A persistence backend – storage for all types of secrets (passwords, API keys, certificates, etc.)
  • An API server which handles client requests and performs operations on secrets
  • A number of secret engines, one for each type of supported secret type

Basically, FOLIO services don’t need to store/manage secrets – all the work will be done by an external secret storage, and it also fits best in microservices architecture, since the storage is a separate service (application) with its own bounded context and responsibility.

Drawbacks:

  • More effort from DevOps, setup/support required
  • More effort from developers, need to know what storage is and how to work with its API (native API/Spring cloud API)

Discussed with Raman Auramau

Related content