d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
master
proxmox/docs/04-configuration/MASTER_SECRETS_INVENTORY.md
defiQUG 2a6d3cfc7f
Some checks failed
Deploy to Phoenix / deploy (push) Has been cancelled
Details
Update submodule references and improve CI workflow 
- Update submodule references for explorer-monorepo and smom-dbis-138 to latest commits.
- Modify CI workflow to include shellcheck installation and enforce error severity for script checks.
- Update contract addresses in configuration and documentation to reflect the new canonical addresses for CCIPWETH9Bridge and CCIP Router.
- Revise integration test documentation to align with updated contract addresses and deployment statuses.

Made-with: Cursor
2026-03-24 22:50:52 -07:00

760 lines
24 KiB
Markdown
Raw Permalink Blame History

# Master Secrets Inventory & HSM Key Vault Plan
**Last Updated:** 2026-01-31
**Document Version:** 1.0
**Status:** Active Documentation
---
**Date:** 2026-01-31
**Status:** 🔒 Comprehensive Master List
**Last Update:** Added Ramps, Exchange (Binance/Kraken/Oanda/FXCM), DeFi credentials
**Purpose:** Complete inventory of all secrets found across the projects directory and plan for HSM Key Vault migration
---
## Executive Summary
This document provides a comprehensive master list of all secrets discovered across the `/home/intlc/projects` directory, including:
- Secrets in `.env` files
- Hardcoded secrets in scripts
- Secrets documented in markdown files
- Recommendations for HSM Key Vault storage
**Total Secrets Identified:** 50+ unique secrets across multiple categories
---
## 🔴 CRITICAL SECURITY FINDINGS
### Immediate Security Concerns
1. **Private Keys Exposed in Files**
- Multiple private keys found in `.env` files
- Private keys documented in markdown files
- Backup files containing private keys
2. **Hardcoded Secrets in Scripts**
- Cloudflare API tokens in shell scripts
- NPM passwords in shell scripts
- Tunnel tokens in installation scripts
3. **Secrets in Documentation**
- Private keys documented in markdown files
- Passwords visible in configuration guides
- API keys in example commands
---
## 📋 COMPREHENSIVE SECRETS INVENTORY
### 1. Blockchain/Web3 Secrets
#### Private Keys (CRITICAL - Highest Priority for HSM)
| Secret Name | Location | Value (Partial) | Status | Priority |
|------------|----------|-----------------|--------|----------|
| `PRIVATE_KEY` | `smom-dbis-138/.env` | `0x5373d11ee2cad4ed82b9208526a8c358839cbfe325919fb250f062a25153d1c8` | 🔴 Exposed | **CRITICAL** |
| `PRIVATE_KEY` | `no_five/.env` | `5373d11ee2cad4ed82b9208526a8c358839cbfe325919fb250f062a25153d1c8` | 🔴 Exposed | **CRITICAL** |
| `PRIVATE_KEY` | `237-combo/.env` | `5e72443d6f357af402859433b115f5b7394786b2624a7cd7e670256a2467bd14` | 🔴 Exposed | **CRITICAL** |
| `PRIVATE_KEY` | `loc_az_hci/smom-dbis-138/.env` | `5373d11ee2cad4ed82b9208526a8c358839cbfe325919fb250f062a25153d1c8` | 🔴 Exposed | **CRITICAL** |
| `PRIVATE_KEY` | `proxmox/smom-dbis-138/services/*/.env` | `0x5373d11ee2cad4ed82b9208526a8c358839cbfe325919fb250f062a25153d1c8` | 🔴 Exposed | **CRITICAL** |
| `PRIVATE_KEY` | `docs/06-besu/T1_2_CREDENTIALS_VERIFIED.md` | `0x5373d11ee2cad4ed82b9208526a8c358839cbfe325919fb250f062a25153d1c8` | 🔴 Documented | **CRITICAL** |
**Derived Address:** `0x4A666F96fC8764181194447A7dFdb7d471b301C8`
#### Contract Addresses (Semi-Sensitive)
| Secret Name | Location | Value | Status |
|------------|----------|-------|--------|
| `LINK_TOKEN` | Multiple `.env` files | `0xb7721dD53A8c629d9f1Ba31a5819AFe250002b03` | ✅ Public |
| `CCIP_ROUTER` | Multiple `.env` files | `0x42DAb7b888Dd382bD5Adcf9E038dBF1fD03b4817` | ✅ Public |
| `CCIP_FEE_TOKEN` | Multiple `.env` files | `0xb7721dD53A8c629d9f1Ba31a5819AFe250002b03` | ✅ Public |
| `TOKEN_FACTORY` | `proxmox/smom-dbis-138/.env` | `0xEBFb5C60dE5f7C4baae180CA328D3BB39E1a5133` | ✅ Public |
| `TOKEN_REGISTRY_ADDRESS` | `proxmox/smom-dbis-138/.env` | `0x91Efe92229dbf7C5B38D422621300956B55870Fa` | ✅ Public |
---
### 2. Cloudflare Secrets
#### API Credentials
| Secret Name | Location | Value (Partial) | Status | Priority |
|------------|----------|-----------------|--------|----------|
| `CLOUDFLARE_API_TOKEN` | `loc_az_hci/smom-dbis-138/.env` | `CWNCvhFa0EgXsazoUrJyv1CS-ORoiMmgvM0zm47N` | 🔴 Exposed | **HIGH** |
| `CLOUDFLARE_API_KEY` | `proxmox/.env` | `65d8f07ebb3f0454fdc4e854b6ada13fba0f0` | 🔴 Exposed | **HIGH** |
| `CLOUDFLARE_API_KEY` | `loc_az_hci/.env` | `x2Kgfb7OI8OEu7SUeUSyLIgVFmvXFd6zV_5ZwGcW` | 🔴 Exposed | **HIGH** |
| `CLOUDFLARE_API_TOKEN` | `scripts/fix-certbot-dns-propagation.sh` | `JSEO_sruWB6lf1id77gtI7HOLVdhkhaR2goPEJIk` | 🔴 Hardcoded | **HIGH** |
| `CLOUDFLARE_TUNNEL_TOKEN` | `proxmox/.env` | `sRwHkwQO5HfD6aK0ZzdV8XHsAyG_DLe_KCjv2bRP` | 🔴 Exposed | **HIGH** |
| `CLOUDFLARE_TUNNEL_TOKEN` | `loc_az_hci/.env` | `sRwHkwQO5HfD6aK0ZzdV8XHsAyG_DLe_KCjv2bRP` | 🔴 Exposed | **HIGH** |
| `TUNNEL_TOKEN` | `scripts/install-shared-tunnel-token.sh` | `eyJhIjoiNTJhZDU3YTcxNjcxYzVmYzAwOWVkZjA3NDQ2NTgxOTYiLCJ0IjoiMTBhYjIyZGEtOGVhMy00ZTJlLWE4OTYtMjdlY2UyMjExYTA1IiwicyI6IlptRXlOMkkyTVRrdE1EZzFNeTAwTkRBNExXSXhaalF0Wm1KaE5XVmpaVEEzTVdGbCJ9` | 🔴 Hardcoded | **HIGH** |
| `CLOUDFLARE_ORIGIN_CA_KEY` | `proxmox/.env` | `v1.0-e7109fbbe03bfeb201570275-231a7ddf5c59799f68b0a0a73a3e17d72177325bb60e4b2c295896f9fe9c296dc32a5881a7d23859934d508b4f41f1d86408e103012b44b0b057bb857b0168554be4dc215923c043bd` | 🔴 Exposed | **HIGH** |
#### Zone/Account IDs (Less Sensitive)
| Secret Name | Location | Value | Status |
|------------|----------|-------|--------|
| `CLOUDFLARE_ACCOUNT_ID` | Multiple `.env` files | `52ad57a71671c5fc009edf0744658196` | ⚠️ Semi-Sensitive |
| `CLOUDFLARE_ZONE_ID` | Multiple `.env` files | Multiple zone IDs | ⚠️ Semi-Sensitive |
| `CLOUDFLARE_EMAIL` | `proxmox/.env` | `pandoramannli@gmail.com` | ⚠️ Semi-Sensitive |
---
### 3. Nginx Proxy Manager (NPMplus) Secrets
| Secret Name | Location | Value (Partial) | Status | Priority |
|------------|----------|-----------------|--------|----------|
| `NPM_PASSWORD` | `scripts/create-npmplus-proxy.sh` | `ce8219e321e1cd97bd590fb792d3caeb7e2e3b94ca7e20124acaf253f911ff72` | 🔴 Hardcoded | **HIGH** |
| `NPM_PASSWORD` | `scripts/nginx-proxy-manager/update-npmplus-proxy-hosts-api.sh` | `ce8219e321e1cd97bd590fb792d3caeb7e2e3b94ca7e20124acaf253f911ff72` | 🔴 Hardcoded | **HIGH** |
| `NPM_PASSWORD` | `proxmox/.env` | `L@ker$2010` | 🔴 Exposed | **HIGH** |
| `NPM_EMAIL` | `proxmox/.env` | `nsatoshi2007@hotmail.com` | ⚠️ Exposed | **MEDIUM** |
| `NPM_EMAIL` | Scripts | `admin@example.org` | ⚠️ Hardcoded | **MEDIUM** |
---
### 4. UniFi/Omada Network Secrets
| Secret Name | Location | Value (Partial) | Status | Priority |
|------------|----------|-----------------|--------|----------|
| `UNIFI_API_KEY` | `docs/04-configuration/UDM_PRO_API_LIMITATIONS.md` | `_6WXEiH2tMDkrO3jKc54SKa53fHZE-Wg` | 🔴 Documented | **HIGH** |
| `UNIFI_PASSWORD` | Multiple docs | `L@kers2010$$` | 🔴 Documented | **HIGH** |
| `OMADA_API_KEY` | `proxmox/omada-api/.env` | (check file) | ⚠️ Needs Review | **MEDIUM** |
| `OMADA_CLIENT_SECRET` | `proxmox/omada-api/.env` | (check file) | ⚠️ Needs Review | **MEDIUM** |
---
### 5. Database Credentials
| Secret Name | Location | Format | Status | Priority |
|------------|----------|--------|--------|----------|
| `DATABASE_URL` | `dbis_core/.env` | `postgresql://user:password@host:port/db` | 🔴 Contains Password | **HIGH** |
| `POSTGRES_PASSWORD` | Various | (check files) | ⚠️ Needs Review | **HIGH** |
| `DB_PASSWORD` | `explorer-monorepo/deployment/ENVIRONMENT_TEMPLATE.env` | `CHANGE_THIS_SECURE_PASSWORD` | ⚠️ Placeholder | **MEDIUM** |
---
### 6. Admin Central API (Service-to-Service)
| Secret Name | Location | Purpose | Status | Priority |
|------------|----------|---------|--------|----------|
| `ADMIN_CENTRAL_API_KEY` | dbis_core, orchestration portal, token-aggregation, multi-chain-execution | Shared secret for Admin Central API (audit append, permission check, audit query). Set in each service that calls dbis_core `/api/admin/central/*`. | ⚠️ Document only; use strong random value | **HIGH** |
| `DBIS_CENTRAL_URL` | orchestration portal, token-aggregation, multi-chain-execution | Base URL of dbis_core API (e.g. `https://dbis-api.d-bis.org` or `http://localhost:3000`). Required for central audit. | Config | **MEDIUM** |
| `ADMIN_JWT_SECRET` or `JWT_SECRET` | orchestration portal | Optional; when set, portal login issues JWT and Bearer token is accepted. Use same as dbis_core for shared auth. | ⚠️ Placeholder | **MEDIUM** |
---
### 7. JWT/Session Secrets
| Secret Name | Location | Status | Priority |
|------------|----------|--------|----------|
| `JWT_SECRET` | `explorer-monorepo/deployment/ENVIRONMENT_TEMPLATE.env` | ⚠️ Placeholder | **MEDIUM** |
| `SESSION_SECRET` | Various | ⚠️ Needs Review | **MEDIUM** |
---
### 8. Third-Party API Keys
| Secret Name | Location | Status | Priority |
|------------|----------|--------|----------|
| `ETHERSCAN_API_KEY` | Various `.env.example` files | ⚠️ Needs Review | **MEDIUM** |
| `METAMASK_API_KEY` | Various | ⚠️ Needs Review | **MEDIUM** |
| `THIRDWEB_SECRET_KEY` | Various | ⚠️ Needs Review | **MEDIUM** |
| `TENDERLY_API_KEY` | `impersonator/docs/` | ⚠️ Placeholder | **LOW** |
#### Crypto.com OTC API (DBIS Core Exchange Integration)
| Secret Name | Location | Status | Priority |
|------------|----------|--------|----------|
| `CRYPTO_COM_API_KEY` | `dbis_core/.env` | ⚠️ Required for OTC | **MEDIUM** |
| `CRYPTO_COM_API_SECRET` | `dbis_core/.env` | ⚠️ Required for OTC | **MEDIUM** |
| `CRYPTO_COM_ENVIRONMENT` | `dbis_core/.env` | Optional (`production`/`uat`) | **LOW** |
**Purpose:** Crypto.com Exchange OTC 2.0 API for institutional OTC trading. See [DBIS_CORE_API_REFERENCE.md](../11-references/DBIS_CORE_API_REFERENCE.md).
#### Fiat On/Off Ramps (metamask-integration)
| Secret Name | Location | Status | Priority |
|------------|----------|--------|----------|
| `MOONPAY_API_KEY` | `metamask-integration/.env` | On-ramp/Off-ramp | **MEDIUM** |
| `MOONPAY_SECRET_KEY` | `metamask-integration/.env` | Optional | **LOW** |
| `RAMP_NETWORK_API_KEY` | `metamask-integration/.env` | On-ramp/Off-ramp | **MEDIUM** |
| `TRANSAK_API_KEY` | `metamask-integration/.env` | On-ramp/Off-ramp | **MEDIUM** |
| `TRANSAK_PARTNER_ID` | `metamask-integration/.env` | Optional | **LOW** |
| `BANXA_API_KEY` | `metamask-integration/.env` | On-ramp/Off-ramp | **MEDIUM** |
| `BANXA_SECRET` | `metamask-integration/.env` | Optional | **LOW** |
| `ONRAMPER_API_KEY` | `metamask-integration/.env` | Aggregator | **MEDIUM** |
| `STRIPE_SECRET_KEY` | `metamask-integration/.env` | Stripe Crypto Onramp | **MEDIUM** |
| `COINBASE_CLIENT_ID` | `metamask-integration/.env` | Coinbase Ramps | **MEDIUM** |
| `COINBASE_CLIENT_SECRET` | `metamask-integration/.env` | Coinbase Ramps | **MEDIUM** |
| `CYBRID_API_KEY` | `metamask-integration/.env` | Cybrid platform | **MEDIUM** |
| `SARDINE_API_KEY` | `metamask-integration/.env` | Sardine Onramp | **MEDIUM** |
| `HONEYCOIN_API_KEY` | `metamask-integration/.env` | HoneyCoin Offramp | **MEDIUM** |
#### FX and Crypto Exchanges (dbis_core)
| Secret Name | Location | Status | Priority |
|------------|----------|--------|----------|
| `BINANCE_API_KEY` | `dbis_core/.env` | Optional (public ticker works without) | **LOW** |
| `BINANCE_API_SECRET` | `dbis_core/.env` | For private endpoints | **MEDIUM** |
| `KRAKEN_API_KEY` | `dbis_core/.env` | Optional (public ticker works without) | **LOW** |
| `KRAKEN_PRIVATE_KEY` | `dbis_core/.env` | For private endpoints | **MEDIUM** |
| `OANDA_API_KEY` | `dbis_core/.env` | Traditional forex | **MEDIUM** |
| `OANDA_ACCOUNT_ID` | `dbis_core/.env` | Traditional forex | **MEDIUM** |
| `OANDA_ENVIRONMENT` | `dbis_core/.env` | `practice` or `live` | **LOW** |
| `FXCM_API_TOKEN` | `dbis_core/.env` | Traditional forex | **MEDIUM** |
#### DeFi Aggregators (alltra-lifi-settlement)
| Secret Name | Location | Status | Priority |
|------------|----------|--------|----------|
| `ONEINCH_API_KEY` | `alltra-lifi-settlement/.env` | Higher rate limits | **LOW** |
| `PARASWAP_API_KEY` | `alltra-lifi-settlement/.env` | Higher rate limits | **LOW** |
| `ZEROX_API_KEY` | `alltra-lifi-settlement/.env` | Higher rate limits | **LOW** |
---
### 9. Service-Specific Secrets
| Secret Name | Location | Status | Priority |
|------------|----------|--------|----------|
| `SITE_MANAGER_API_KEY` | Various docs | ⚠️ Placeholder | **MEDIUM** |
| `WALLETCONNECT_PROJECT_ID` | Various | ⚠️ Needs Review | **MEDIUM** |
| `SENTRY_DSN` | Various | ⚠️ Optional | **LOW** |
| `DATADOG_API_KEY` | Various | ⚠️ Optional | **LOW** |
**Projects with .env / secrets (ensure documented here when used):** **OMNIS** — JWT_SECRET, DATABASE_URL, VITE_API_URL, Sankofa Phoenix/OAuth client secrets; **dbis_core** — see §2, §5, §6, §8; **the-order** (legal-documents) — court-efiling and e-signature API keys when integrated; document in this inventory when those integrations are configured.
---
## 🔐 HSM KEY VAULT MIGRATION PLAN
### Overview
An HSM (Hardware Security Module) Key Vault provides the highest level of security for cryptographic keys and secrets. This plan outlines the migration strategy for moving all identified secrets to an HSM-based key vault system.
---
### HSM Key Vault Architecture
#### Recommended Solutions
1. **HashiCorp Vault with HSM Backend** (Recommended)
- Industry-standard secrets management
- HSM integration via PKCS#11
- Supports multiple HSM vendors
- Excellent API and CLI support
- Open-source with enterprise options
2. **AWS CloudHSM + AWS Secrets Manager**
- Fully managed HSM service
- FIPS 140-2 Level 3 certified
- Integrated with AWS ecosystem
- High availability built-in
3. **Azure Key Vault with HSM**
- Managed HSM option
- FIPS 140-2 Level 3 certified
- Integration with Azure services
- Multi-region support
4. **Google Cloud HSM + Secret Manager**
- Cloud HSM option
- Integration with GCP services
- High availability
5. **On-Premise HSM (Thales, Utimaco, etc.)**
- Maximum control
- FIPS 140-2 Level 3/4
- Requires infrastructure management
- Best for air-gapped environments
---
### Migration Priority Matrix
#### Phase 1: CRITICAL - Immediate Migration (Week 1-2)
**Target Secrets:**
- All `PRIVATE_KEY` values (blockchain private keys)
- Cloudflare API tokens and keys
- Database passwords
- NPM passwords
**Rationale:**
- Private keys are the most sensitive assets
- API tokens provide broad access
- Database credentials protect data integrity
**HSM Storage:**
- Private keys: Store in HSM, never export
- API tokens: Encrypted at rest in vault
- Passwords: Encrypted with HSM-backed keys
---
#### Phase 2: HIGH PRIORITY - Short-Term Migration (Week 3-4)
**Target Secrets:**
- JWT secrets
- Session secrets
- Service API keys (Omada, UniFi)
- Tunnel tokens
**Rationale:**
- Authentication/authorization secrets
- Network management credentials
- Service integration keys
**HSM Storage:**
- Encryption keys for secrets
- Key derivation functions
- Secure key rotation
---
#### Phase 3: MEDIUM PRIORITY - Medium-Term Migration (Month 2)
**Target Secrets:**
- Third-party API keys
- Monitoring credentials
- Optional service keys
**Rationale:**
- Lower risk but still sensitive
- Can be migrated incrementally
- Allows for testing and validation
---
#### Phase 4: LOW PRIORITY - Long-Term Migration (Month 3+)
**Target Secrets:**
- Configuration values
- Public identifiers
- Development-only secrets
**Rationale:**
- Lower security impact
- May not require HSM storage
- Standard encryption sufficient
---
### HSM Key Vault Implementation Plan
#### Step 1: HSM Selection & Setup
**Recommended: HashiCorp Vault with HSM Backend**
1. **Hardware Selection:**
- Option A: Cloud HSM (AWS CloudHSM, Azure Dedicated HSM)
- Option B: On-premise HSM (Thales Luna, Utimaco, etc.)
- Option C: Software HSM for development (SoftHSM)
2. **Vault Installation:**
```bash
# Install HashiCorp Vault
# Configure HSM backend (PKCS#11)
# Set up high availability
# Configure authentication (LDAP, OIDC, etc.)
```
3. **HSM Integration:**
- Configure PKCS#11 library
- Initialize HSM partition
- Create master keys
- Test key operations
---
#### Step 2: Secret Organization Structure
**Vault Path Structure:**
```
secret/
├── blockchain/
│ ├── private-keys/
│ │ ├── deployer/
│ │ ├── validator-1/
│ │ ├── validator-2/
│ │ └── ...
│ ├── contract-addresses/
│ └── rpc-endpoints/
├── cloudflare/
│ ├── api-tokens/
│ ├── tunnel-tokens/
│ └── zone-ids/
├── infrastructure/
│ ├── proxmox/
│ ├── npm/
│ └── unifi/
├── databases/
│ ├── postgres/
│ └── redis/
├── services/
│ ├── jwt-secrets/
│ ├── api-keys/
│ └── webhooks/
└── third-party/
├── etherscan/
├── metamask/
└── ...
```
---
#### Step 3: Secret Migration Process
**For Each Secret:**
1. **Extract from Current Location**
```bash
# Read from .env file
# Extract from script
# Document current usage
```
2. **Store in Vault**
```bash
# Using Vault CLI
vault kv put secret/blockchain/private-keys/deployer \
private_key="0x..."
# Or using API
curl -X POST \
-H "X-Vault-Token: $VAULT_TOKEN" \
-d '{"data":{"private_key":"0x..."}}' \
https://vault.example.com/v1/secret/data/blockchain/private-keys/deployer
```
3. **Update Application Code**
```bash
# Replace direct file reads with Vault API calls
# Use Vault agent for automatic secret injection
# Update deployment scripts
```
4. **Verify & Test**
```bash
# Test secret retrieval
# Verify application functionality
# Check for any hardcoded fallbacks
```
5. **Remove from Old Location**
```bash
# Remove from .env files
# Remove from scripts
# Update documentation
# Verify .gitignore
```
---
#### Step 4: Application Integration
**Vault Agent (Recommended for Applications):**
```hcl
# vault-agent.hcl
pid_file = "/tmp/vault-agent.pid"
vault {
address = "https://vault.example.com:8200"
}
auto_auth {
method "kubernetes" {
mount_path = "auth/kubernetes"
config = {
role = "my-app"
}
}
}
template {
source = "/etc/secrets/.env.tpl"
destination = "/etc/secrets/.env"
perms = 0600
}
```
**Template File:**
```bash
# /etc/secrets/.env.tpl
PRIVATE_KEY={{ with secret "secret/data/blockchain/private-keys/deployer" }}{{ .Data.data.private_key }}{{ end }}
CLOUDFLARE_API_TOKEN={{ with secret "secret/data/cloudflare/api-tokens/main" }}{{ .Data.data.token }}{{ end }}
```
**Direct API Integration (For Scripts):**
```bash
#!/bin/bash
# Get secret from Vault
PRIVATE_KEY=$(vault kv get -field=private_key secret/blockchain/private-keys/deployer)
CLOUDFLARE_TOKEN=$(vault kv get -field=token secret/cloudflare/api-tokens/main)
# Use secrets
cast send ... --private-key "$PRIVATE_KEY"
```
---
#### Step 5: Access Control & Policies
**Vault Policies:**
```hcl
# blockchain-deployer.hcl
path "secret/data/blockchain/private-keys/deployer" {
capabilities = ["read"]
}
path "secret/data/blockchain/contract-addresses/*" {
capabilities = ["read"]
}
# cloudflare-admin.hcl
path "secret/data/cloudflare/*" {
capabilities = ["read", "update", "create"]
}
# read-only.hcl
path "secret/data/*" {
capabilities = ["read"]
}
```
**Role Assignment:**
- Deployer service: `blockchain-deployer` policy
- DNS automation: `cloudflare-admin` policy
- Monitoring: `read-only` policy
---
#### Step 6: Key Rotation Strategy
**Automated Rotation:**
1. **Private Keys:**
- Generate new key in HSM
- Update contract ownership
- Archive old key (encrypted)
- Update all references
2. **API Tokens:**
- Create new token
- Update in Vault
- Update applications
- Revoke old token after grace period
3. **Passwords:**
- Generate new password
- Update in Vault
- Rotate database passwords
- Update connection strings
**Rotation Schedule:**
- Private keys: Annually (or on compromise)
- API tokens: Quarterly
- Passwords: Quarterly
- JWT secrets: Monthly
---
### Security Best Practices
#### 1. HSM Configuration
- **FIPS 140-2 Level 3+ certification**
- **Multi-factor authentication for HSM access**
- **Key escrow and backup procedures**
- **Audit logging for all key operations**
- **Physical security for on-premise HSMs**
#### 2. Vault Configuration
- **TLS encryption for all connections**
- **Seal/unseal key management (Shamir or HSM)**
- **High availability with multiple nodes**
- **Regular backups of Vault data**
- **Network isolation for Vault cluster**
#### 3. Access Control
- **Principle of least privilege**
- **Role-based access control (RBAC)**
- **Time-bound access tokens**
- **IP whitelisting for API access**
- **Regular access reviews**
#### 4. Monitoring & Auditing
- **All secret access logged**
- **Failed access attempts alerted**
- **Regular security audits**
- **Compliance reporting**
- **Anomaly detection**
---
### Migration Checklist
#### Pre-Migration
- [ ] Select HSM solution
- [ ] Set up HSM infrastructure
- [ ] Install and configure Vault
- [ ] Create vault path structure
- [ ] Define access policies
- [ ] Set up authentication methods
- [ ] Test HSM connectivity
- [ ] Create backup procedures
#### Migration Execution
- [ ] Phase 1: Migrate private keys
- [ ] Phase 1: Migrate Cloudflare secrets
- [ ] Phase 1: Migrate database passwords
- [ ] Phase 1: Migrate NPM passwords
- [ ] Phase 2: Migrate JWT secrets
- [ ] Phase 2: Migrate service API keys
- [ ] Phase 3: Migrate third-party keys
- [ ] Phase 4: Migrate remaining secrets
#### Post-Migration
- [ ] Remove secrets from .env files
- [ ] Remove hardcoded secrets from scripts
- [ ] Update documentation
- [ ] Verify .gitignore
- [ ] Test all applications
- [ ] Set up monitoring
- [ ] Document procedures
- [ ] Train team on Vault usage
---
### Cost Estimation
#### Cloud HSM Options
**AWS CloudHSM:**
- Hardware: ~$1,500/month per HSM
- Data transfer: Standard AWS rates
- Total: ~$1,500-3,000/month (2 HSMs for HA)
**Azure Dedicated HSM:**
- Hardware: ~$1,200/month per HSM
- Total: ~$2,400/month (2 HSMs for HA)
**HashiCorp Vault (Self-Hosted):**
- Infrastructure: Varies (VM costs)
- HSM integration: PKCS#11 library (free)
- Total: ~$200-500/month (infrastructure only)
#### On-Premise HSM
- Hardware: $5,000-50,000 (one-time)
- Support: $1,000-5,000/year
- Infrastructure: Existing or minimal
---
### Timeline
**Week 1-2:** HSM selection, procurement, setup
**Week 3-4:** Vault installation, configuration, testing
**Week 5-6:** Phase 1 migration (critical secrets)
**Week 7-8:** Phase 2 migration (high priority)
**Month 2:** Phase 3 migration (medium priority)
**Month 3+:** Phase 4 migration (low priority), optimization
---
### Risk Mitigation
1. **Backup Strategy:**
- Encrypted backups of all secrets
- Multiple backup locations
- Regular restore testing
2. **Disaster Recovery:**
- HSM replication
- Vault cluster across regions
- Documented recovery procedures
3. **Gradual Migration:**
- Migrate in phases
- Maintain old system during transition
- Rollback procedures
4. **Testing:**
- Test in development first
- Staged production rollout
- Monitor for issues
---
## 📊 SECRETS SUMMARY BY CATEGORY
### By Priority
- **CRITICAL:** 6 secrets (private keys)
- **HIGH:** 15 secrets (API tokens, passwords)
- **MEDIUM:** 20 secrets (service keys, JWT)
- **LOW:** 10+ secrets (optional, config)
### By Location
- **.env files:** 30+ secrets
- **Scripts:** 10+ hardcoded secrets
- **Documentation:** 5+ documented secrets
- **Templates:** 10+ placeholder secrets
### By Type
- **Private Keys:** 6 unique keys
- **API Tokens:** 8 unique tokens
- **Passwords:** 5 unique passwords
- **API Keys:** 10+ keys
- **Configuration:** 20+ values
---
## 🔄 NEXT STEPS
1. **Immediate Actions:**
- Review this inventory
- Verify .gitignore for all .env files
- Remove backup files with secrets
- Document current secret locations
2. **Short-Term (Week 1-2):**
- Select HSM solution
- Begin HSM setup
- Install Vault
- Create migration plan
3. **Medium-Term (Month 1):**
- Begin Phase 1 migration
- Update applications
- Remove secrets from files
- Set up monitoring
4. **Long-Term (Month 2-3):**
- Complete all migrations
- Optimize access patterns
- Implement rotation
- Security audit
---
## 📚 RELATED DOCUMENTATION
- [Required Secrets Inventory](REQUIRED_SECRETS_INVENTORY.md)
- [Environment Secrets Audit Report](ENV_SECRETS_AUDIT_REPORT.md)
- [Secrets and Keys Configuration](SECRETS_KEYS_CONFIGURATION.md)
- [Cloudflare API Setup](CLOUDFLARE_API_SETUP.md)
---
**Last Updated:** 2025-01-27
**Status:** 🔒 Master Inventory Complete
**Next Review:** After HSM selection
Reference in New Issue View Git Blame Copy Permalink