Static Secrets Definition

With the advent of the Internet and social media, regular people have been exposed to the skill of password management and secure login practices. Most of us know not to share passwords, how to create secure ones, and how to handle multiple personal online accounts.

Businesses are the same way. Most companies have multiple applications and services that power internal operations, from the front-end to the back-end. Whether you’re an online publication or a shipping company, you will work with these apps constantly.

These aren’t the apps you’re familiar with on your smartphone, however. The ones here control vital internal processes and workflows, so keeping those passwords safe and secure is essential for any IT department.

The “passwords,” in this case, are known as secrets, and they come in many types. Secrets allow applications in a business to communicate securely. Failing to keep track of your secrets can result in data leakages and compromised logins. Secret management also extends to privilege control; how do ensure that only the right users have access to sensitive company systems?

What Are Static Secrets?

Static secrets are the credentials that machines, applications, services, and humans use to access other applications, whose values remain the same for long periods of time. They come in multiple forms:

  • Passwords
  • SSL certificates
  • SSH Keys
  • Tokens
  • API Keys

Other types exist as well, but secrets, in general, allow you to enter databases or have privileged access to certain accounts. They are necessary for apps to connect and share information within a business and must be changed regularly for security purposes.

Part of the job of a DevOps team is to create secrets and manage them in a vault, and the programs, apps, and end users read them from the vault for use.

Why Do You Need a Secrets Vault?

You have to work with hundreds or even thousands of different logins. If everyone used the same login, everyone would unsafely work with administrator privileges. Whenever you access third-party applications, you want to divide the privileges with individual user accounts.

You also don’t want to store your secrets as plain text. Whether it’s an SSH key for remote access, an API key, or a Lightweight Directory Access Protocol for enterprise directory access, storing any password as plaintext is never secure.

The solution is a centralized secrets management tool. Keeping everything in one place makes it easier to audit and check for vulnerabilities. Encryption is also available so that, even if a cybercriminal gains access to your data, he cannot use it without the static secret key. Even the backend never sees the unencrypted key.

Working with a vault simplifies the process. For example, say you want to generate and manage secrets for Google’s API. The general process works this way:

  • The administrator creates policies for the DevOps teams, the apps, and the services of your business.
  • The DevOps team creates the API key and database root certificates if applicable
  • The apps read the API key, and the services involved read the database root certificate

You want to use a key/value secrets engine, which is used to store the API keys in a specified configured storage. This engine allows you to interact directly with the storage backend you choose. For instance, if you give a “read” command to the engine, it will convert it to a form that the backend understands.

Static Secrets Vs. Dynamic Secrets

Because static secrets are often shared among multiple applications and users, and are not meant to change, it can be difficult to audit usage or rotate the secrets. It’s also fairly easy to accidentally expose passwords this way.

For these reasons, many organizations opt for dynamic secrets that generate each time they are needed and expire quickly. Think of 2-Factor Authentication you use for some of your online accounts.

The vault acts as a middleman between the end user and the application API, passing tokens for secret verification between both parties.