d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
3f76bc950779f8c1a4403abddb952cdbce5fa420
proxmox/docs/04-configuration/ENV_SECRETS_AUDIT_REPORT.md
defiQUG fbda1b4beb
Some checks failed
Deploy to Phoenix / deploy (push) Has been cancelled
Details
docs: Ledger Live integration, contract deploy learnings, NEXT_STEPS updates 
- ADD_CHAIN138_TO_LEDGER_LIVE: Ledger form done; public code review repo bis-innovations/LedgerLive; init/push commands
- CONTRACT_DEPLOYMENT_RUNBOOK: Chain 138 gas price 1 gwei, 36-addr check, TransactionMirror workaround
- CONTRACT_*: AddressMapper, MirrorManager deployed 2026-02-12; 36-address on-chain check
- NEXT_STEPS_FOR_YOU: Ledger done; steps completable now (no LAN); run-completable-tasks-from-anywhere
- MASTER_INDEX, OPERATOR_OPTIONAL, SMART_CONTRACTS_INVENTORY_SIMPLE: updates
- LEDGER_BLOCKCHAIN_INTEGRATION_COMPLETE: bis-innovations/LedgerLive reference

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-12 15:46:57 -08:00

9.8 KiB
Raw Blame History

Environment Variables and Secrets Audit Report

Last Updated: 2026-01-31
Document Version: 1.0
Status: Active Documentation

Date: 2025-01-20
Status: 📋 Comprehensive Audit
Purpose: Audit all .env files for required secrets and identify missing/incomplete values

Executive Summary

This report provides a comprehensive audit of all environment variable files (.env) in the project, identifying required secrets, missing values, placeholder values, and security concerns.

Files Audited

Root Level

  • .env - Main project configuration

Service-Specific

  • omada-api/.env - Omada Controller API configuration
  • smom-dbis-138/.env - SMOM/DBIS-138 blockchain services
  • dbis_core/.env - DBIS Core banking system
  • explorer-monorepo/.env - Block explorer services
  • miracles_in_motion/.env.production - Miracles in Motion application

Templates

  • config/production/.env.production.template - Production template
  • smom-dbis-138/.env.template - Service template
  • Various .env.example files

Critical Secrets Status

Root .env File (./.env)

Status: Partially Configured

Found Variables:

  • CLOUDFLARE_TUNNEL_TOKEN - Set
  • CLOUDFLARE_API_KEY - Set (Legacy - consider migrating to API Token)
  • CLOUDFLARE_ACCOUNT_ID - Set
  • CLOUDFLARE_ZONE_ID - Set (multiple zones)
  • CLOUDFLARE_DOMAIN - Set
  • CLOUDFLARE_EMAIL - Set
  • CLOUDFLARE_TUNNEL_ID - Set
  • CLOUDFLARE_ORIGIN_CA_KEY - Set
  • Multiple zone IDs for different domains

Missing/Concerns:

  • ⚠️ CLOUDFLARE_API_TOKEN - Not found (using API_KEY instead - less secure)
  • ⚠️ Proxmox passwords not in root .env (may be in other locations)

Recommendations:

  1. Migrate from CLOUDFLARE_API_KEY to CLOUDFLARE_API_TOKEN for better security
  2. Consider consolidating secrets in root .env or using secrets management

⚠️ Omada API (.env)

Status: Partially Configured

Found Variables:

  • OMADA_CONTROLLER_URL - Set
  • ⚠️ OMADA_API_KEY - Set but may need verification
  • ⚠️ OMADA_API_SECRET - Empty or needs setting
  • OMADA_SITE_ID - Set
  • OMADA_VERIFY_SSL - Set
  • OMADA_CLIENT_ID - Set
  • OMADA_CLIENT_SECRET - Set

Missing/Concerns:

  • ⚠️ Verify OMADA_API_SECRET is set correctly
  • ⚠️ Ensure credentials match Omada controller requirements

⚠️ SMOM/DBIS-138 (.env)

Status: Contains Sensitive Values

Found Variables:

  • RPC_URL - Set
  • 🔒 PRIVATE_KEY - CRITICAL - Private key present (0x5373d11ee2cad4ed82b9208526a8c358839cbfe325919fb250f062a25153d1c8)
  • Multiple contract addresses - Set
  • Token addresses - Set

Security Concerns:

  • 🔒 CRITICAL: Private key is exposed in .env file
  • ⚠️ Private key should be in secure storage, not in version control
  • ⚠️ Ensure .env is in .gitignore

Recommendations:

  1. IMMEDIATE: Verify .env is in .gitignore
  2. Move private key to secure storage (key vault, encrypted file)
  3. Use environment variable injection at runtime
  4. Consider key management system

DBIS Core (.env)

Status: Configured

Found Variables:

  • DATABASE_URL - Set with credentials
    • Format: postgresql://user:password@host:port/database
    • Contains password in connection string

Security Concerns:

  • ⚠️ Database password in connection string
  • Should be in .gitignore

Recommendations:

  1. Verify .env is in .gitignore
  2. Consider separate DATABASE_USER and DATABASE_PASSWORD variables
  3. Use secrets management for production

⚠️ Explorer Monorepo (.env)

Status: Contains Sensitive Values

Found Variables:

  • 🔒 PRIVATE_KEY - CRITICAL - Private key present (appears multiple times, some empty)
  • LINK_TOKEN - Set
  • ORACLE_AGGREGATOR_ADDRESS - Set
  • CCIP_ROUTER_ADDRESS - Set
  • CCIP_RECEIVER - Set
  • CCIP_LOGGER - Set
  • ORACLE_PROXY_ADDRESS - Set

Security Concerns:

  • 🔒 CRITICAL: Private key exposed
  • ⚠️ Multiple backup files with private keys (.env.backup.*)
  • ⚠️ Empty PRIVATE_KEY entries (cleanup needed)

Recommendations:

  1. Remove backup files with secrets from repository
  2. Secure private key storage
  3. Clean up empty/duplicate entries
  4. Add backup files to .gitignore

Required Secrets Checklist

Critical (Must Have)

Cloudflare

  • CLOUDFLARE_API_KEY or CLOUDFLARE_API_TOKEN - Set (using API_KEY)
  • CLOUDFLARE_ACCOUNT_ID - Set
  • CLOUDFLARE_ZONE_ID - Set (multiple)
  • CLOUDFLARE_TUNNEL_TOKEN - Set
  • CLOUDFLARE_API_TOKEN - ⚠️ Recommended but not set (using API_KEY)

Blockchain/Private Keys

  • PRIVATE_KEY - ⚠️ Set but SECURITY CONCERN (exposed in files)
  • Private key secure storage - 🔒 NEEDS SECURE STORAGE

Database

  • DATABASE_URL - Set (contains password)

High Priority

Service-Specific

  • OMADA_API_KEY / OMADA_CLIENT_SECRET - Set
  • Contract addresses - Set
  • RPC URLs - Set

Medium Priority

Optional Services

  • Various service-specific variables
  • Monitoring credentials (if enabled)
  • Third-party API keys (if used)

Security Issues Identified

🔴 Critical Issues

  1. Private Keys in .env Files

    • Location: smom-dbis-138/.env, explorer-monorepo/.env
    • Risk: Private keys exposed in version control risk
    • Action: Verify .gitignore, move to secure storage

  2. Backup Files with Secrets

    • Location: explorer-monorepo/.env.backup.*
    • Risk: Secrets in backup files
    • Action: Remove from repository, add to .gitignore

  3. Database Passwords in Connection Strings

    • Location: dbis_core/.env
    • Risk: Password exposure if file is accessed
    • Action: Consider separate variables or secrets management

⚠️ Medium Priority Issues

  1. Using Legacy API Key Instead of Token

    • Location: Root .env
    • Issue: CLOUDFLARE_API_KEY used instead of CLOUDFLARE_API_TOKEN
    • Action: Migrate to API token for better security

  2. Empty/Placeholder Values

    • Some variables may have placeholder values
    • Action: Review and replace with actual values

  3. Multiple .env Files

    • Secrets scattered across multiple files
    • Action: Consider consolidation or centralized secrets management

Recommendations

Immediate Actions

  1. Verify .gitignore

    # Ensure these are in .gitignore:
.env
.env.local
.env.*.local
*.env.backup

  2. Secure Private Keys

    • Move private keys to secure storage (key vault, encrypted file)
    • Use environment variable injection
    • Never commit private keys to repository

  3. Clean Up Backup Files

    • Remove .env.backup.* files from repository
    • Add to .gitignore
    • Store backups securely if needed

  4. Migrate to API Tokens

    • Replace CLOUDFLARE_API_KEY with CLOUDFLARE_API_TOKEN
    • Use API tokens for better security

Short-Term Improvements

  1. Implement Secrets Management

    • Use HashiCorp Vault, AWS Secrets Manager, or similar
    • Encrypt sensitive values
    • Implement access controls

  2. Consolidate Secrets

    • Consider centralized secrets storage
    • Use environment-specific files
    • Document secret locations

  3. Create .env.example Files

    • Template files without real values
    • Document required variables
    • Include in repository

Long-Term Improvements

  1. Secret Rotation

    • Implement secret rotation procedures
    • Document rotation schedule
    • Automate where possible

  2. Access Control

    • Limit access to secrets
    • Implement audit logging
    • Use role-based access

  3. Monitoring

    • Monitor for exposed secrets
    • Alert on unauthorized access
    • Regular security audits

Missing Secrets (Not Found)

Based on documentation and script analysis, these secrets may be needed but not found:

Proxmox

  • PROXMOX_TOKEN_VALUE - Proxmox API token (may be in ~/.env)
  • Proxmox node passwords (may be hardcoded in scripts)

Additional Services

  • JWT_SECRET - If JWT authentication is used
  • SESSION_SECRET - If sessions are used
  • ETHERSCAN_API_KEY - For contract verification
  • Various service API keys

File Locations Summary

File Status Secrets Found Security Concerns
./.env Configured Cloudflare credentials Using API_KEY instead of TOKEN
omada-api/.env ⚠️ Partial Omada credentials Verify API_SECRET
smom-dbis-138/.env 🔒 Sensitive Private key, contracts Private key exposed
dbis_core/.env Configured Database credentials Password in connection string
explorer-monorepo/.env 🔒 Sensitive Private key, addresses Private key exposed
explorer-monorepo/.env.backup.* 🔒 Sensitive Private keys Backup files with secrets

Next Steps

  1. Run Audit Script

    ./scripts/check-env-secrets.sh

  2. Verify .gitignore

    • Ensure all .env files are ignored
    • Add backup files to .gitignore

  3. Review Security Issues

    • Address critical issues (private keys)
    • Migrate to secure storage
    • Clean up backup files

  4. Document Required Secrets

    • Update REQUIRED_SECRETS_INVENTORY.md
    • Create .env.example templates
    • Document secret locations

  5. Implement Improvements

    • Migrate to API tokens
    • Implement secrets management
    • Set up monitoring

Related Documentation

Last Updated: 2025-01-20
Status: 📋 Audit Complete
Next Review: After security improvements

Reference in New Issue View Git Blame Copy Permalink