Encrypting credentials config file in production with key rotation

Hello all,
This relates to that never ending question of securing the credentials in production/staging envs.

I am wondering if anyone would like to comment / share their thoughts about the following approach we are thinking of taking.

Here we go:

During build phase, an encryption key is generated and credentials are encrypted with it.

On deployment end, during the instantiation the credentials are decrypted using the provided key, and the credentials are loaded into memory. At this point all of the initial files are destroyed. The binary now generates a new encryption key an re-encrypts the credentials, both of which are kept in memory. Newly encrypted credentials along with the key are only dumped onto a filesystem if the application panics and requires to be restarted, at which point the same cycle key rotation decryption/encryption happens again.

Do you think whether there is any security benefit with this approach?

There was similar, now closed discussion:

How to secure env file in production environment

Hi @blues_spare,

I am not in the DevSecOps business and thus not someone to give advice, but if I had to find a way of securing credentials for my apps, I would prefer using tested and proven tools like Hashicorp Vault for managing all credentials and app secrets. Or if I decide on a particular cloud service, they usually have native tools for that purpose.

1 Like