Ask HN: Is a file with both public and secret content a secret or not?

2 points by iamAy0 4 years ago | 8 comments

This question showed up while debating whether a configuration file with public application settings and secret values should be stored in Hashicorp's Vault as a secret.

LinuxBender 4 years ago |

A file that would contain a secret should have the secret attributes parameterized and the attribute modified on deployment using Hashicorp Vault, otherwise the entire file would have to be stored in Vault meaning the entire file is a secret. This is a common pattern with Ansible, Chef, Puppet and other configuration management tools that integrate with Vault. Docker also has integrations with Vault and can replace attribute placeholders with their secret contents on deployment of containers. All of the aforementioned platforms have how-to's explaining how to correctly integrate with Vault.

smt88 4 years ago |

The secrets are secret. Store them securely.

If storing the secrets securely doesn't cause the public settings to be inaccessible where/when they're needed, then you have nothing else to do.

Separate the secret and non-secret data. Don't even use files, just let each item be its own individual value with its own key and permissions.

Also, it doesn't sound like anyone debating this is experienced enough to be making security decisions, even very basic ones.

iamAy0 4 years ago | |

we aren't here discussing about whether the used pattern is correct or not, it's clearly not. But that's not the scope of the question.

smt88 4 years ago | | |

Then the file is secret. It's a nonsensical argument.

It's like saying, "If I put military secrets and my grocery list in a locked briefcase, is the briefcase a secret?"

First: yes, of course it is. Second: the secrets are not inherently tied together forever. You can separate them.

gjvc 4 years ago |

https://en.wikipedia.org/wiki/Steganography

iamAy0 4 years ago | |

Steganography is about hiding information within other information, but I don't really see what's the point you are trying to make here. Could you elaborate?

PaulHoule 4 years ago |

If any of it is secret then the whole thing is secret, isn’t it? The only way around that is to break it into multiple parts.

iamAy0 4 years ago | |

exactly my point of view.