Questions tagged [secret-sharing]
The secret-sharing tag has no usage guidance.
115
questions
2
votes
0
answers
185
views
Analyzing impact of leaked client_secret in Authorization Code Flow in Keycloak (CVE-2020-27838)
CVE-2020-27838 describes that Keycloak has an open endpoint where it's possible to obtain client_secret information, as shown in the example below:
/auth/realms/{realm}/clients-registrations/default/{...
- 21
0
votes
0
answers
82
views
Is it risky to include .env files in the .zip which is uploaded to Elastic Beanstalk for deployment? If so, what is the risk?
Is it okay to upload .env files containing client ID and client secret to elastic beanstalk? If not, what is the risk involved? How would one access those files?
- 123
0
votes
1
answer
451
views
What does it mean to store secret keys as an "environment variable" as opposed to hardcoded in the source code?
I see why it is obviously bad to store a secret key and client ID in the source code for a web application. However, how do you go about the alternative? Surely, that information has to be stored ...
- 123
4
votes
3
answers
2k
views
Best method to send credentials to clients
I'm constantly exchanging credentials with my clients for things like database servers, cloud accounts, etc. Neither I nor my clients, have time to implement a sophisticated method for secure ...
- 141
0
votes
1
answer
98
views
How to store ClientID and ClientSecret in a K8 Env
I am trying integrate our service with SSO. I have generated the ClientID and ClientSecret.
Is it a good security practice to store the ClientID and ClientSecret as a configmap? If not, what are the ...
- 53
1
vote
1
answer
150
views
What Criteria Should We Use to Determine What is and isn't a Secret?
Background:
We have product development teams, where each team has one or two QA engineers. They run tests from their local machines. Here is what they require:
Application credentials (a clientId ...
- 201
1
vote
1
answer
185
views
How does a TPM verify the identity of the calling process/service?
Any application can use a TPM chip to securely create and store cryptographic keys.
For example for Digital Rights Management (DRM) or for prevention of cheating in online games.
However, how can a ...
- 21
0
votes
0
answers
19
views
Is it safe to share sensitive data in a Sharepoint through a public link with third parties? [duplicate]
One of the companies we're working with is sharing their user's database through a public Sharepoint link. While convenient, I'm worried that anyone on the internet can simply access the link (even ...
- 101
0
votes
1
answer
244
views
Is there a viable zero-knowledge approach for using oAuth to generate and manage private keys?
I've been doing a deep dive into how products like Web3Auth work under the hood and wonder if this is a viable approach to building applications where a user can have the convenience of using oAuth to ...
1
vote
2
answers
210
views
Encryption method for file that can only be read by program
I have a Python 3 program, and I’m having trouble finding an encryption method that will suit my needs.
Suppose the program is on a thumb drive. I would give the thumb drive to someone else, and they ...
- 113
1
vote
2
answers
243
views
API Client Secrets are Being Logged in Plaintext (PowerShell Logs)
I'm currently implementing a PowerShell script to call the Sophos API (https://developer.sophos.com/intro).
Write-Output "`nEnter the Sophos API key / client secret."
$ClientSecret = Read-...
1
vote
2
answers
324
views
Best and safest way to store secret key used for PKA on server?
I interact with some API's that use PKA and I'm looking for the safest / best-practice way to store my secret key. The approaches I know are for example:
Create a 0500 access directory on my server
...
- 141
0
votes
0
answers
352
views
Best Practice for retrieving secrets securely
So a company I work with currently is using a password management system that lets us retrieve the passwords for an application by providing a secure key to an API. Currently, the key is stored in ...
- 111
0
votes
0
answers
25
views
The difference between a virtual door-lock and a public key [duplicate]
The thing that helped me to understand what is a "public key" was to parallel it with a door lock:
The door lock is public in the sense that anyone can try to unlock it and the door key is ...
4
votes
2
answers
2k
views
Web-based secret manager using CryptoJS
I'm building an application, part of which will allow businesses to store secrets.
I'm looking at using CryptoJS (https://www.npmjs.com/package/crypto-js). This would encrypt everything on the client ...
- 143