proxmox/docs/04-configuration/SECRETS_MIGRATION_SUMMARY.md

Secrets Discovery & HSM Migration Summary

Last Updated: 2026-01-31
Document Version: 1.0
Status: Active Documentation

---

Date: 2025-01-27
Status: ✅ Discovery Complete, Ready for Migration
Purpose: Executive summary of secrets discovery and HSM Key Vault migration plan

---

📊 Discovery Results

Secrets Found

• Total Secrets Identified: 50+ unique secrets
• Critical Secrets: 6 (private keys)
• High Priority: 15 (API tokens, passwords)
• Medium Priority: 20 (service keys, JWT)
• Low Priority: 10+ (optional, configuration)

Locations Scanned

• .env Files: 30+ files scanned
• Scripts: 10+ files with hardcoded secrets
• Documentation: 5+ markdown files with secrets
• Total Files Analyzed: 50+ files

---

🔴 Critical Security Issues

1. Private Keys Exposed

• 6 unique private keys found in .env files
• 1 private key documented in markdown files
• Risk: Complete compromise of blockchain accounts
• Action: IMMEDIATE migration to HSM

2. Hardcoded Secrets in Scripts

• Cloudflare API tokens in shell scripts
• NPM passwords in automation scripts
• Tunnel tokens in installation scripts
• Risk: Secrets in version control
• Action: Remove and migrate to Vault

3. Secrets in Documentation

• Private keys in markdown files
• Passwords in configuration guides
• Risk: Public exposure if docs are shared
• Action: Remove secrets, use placeholders

---

📋 Complete Documentation

Master Documents Created

1. MASTER_SECRETS_INVENTORY.md

   • Complete inventory of all secrets
   • Detailed HSM Key Vault migration plan
   • Implementation guide
   • Cost estimation and timeline

2. SECRETS_QUICK_REFERENCE.md

   • Quick lookup for all secrets
   • Secret locations
   • Proposed Vault paths
   • Quick action commands

3. SECRETS_MIGRATION_SUMMARY.md (this document)

   • Executive summary
   • Action plan
   • Next steps

Migration Tools Created

1. migrate-secrets-to-vault.sh
   • Automated migration script
   • Supports dry-run mode
   • Handles multiple secret types
   • Provides migration status

---

🎯 HSM Key Vault Plan

Recommended Solution

HashiCorp Vault with HSM Backend

Why:

• Industry-standard secrets management
• Excellent HSM integration (PKCS#11)
• Flexible deployment options
• Strong access control
• Active community and support

Migration Phases

Phase 1: CRITICAL (Week 1-2)

• All private keys
• Cloudflare API tokens
• Database passwords
• NPM passwords

Phase 2: HIGH PRIORITY (Week 3-4)

• JWT secrets
• Service API keys
• Tunnel tokens

Phase 3: MEDIUM PRIORITY (Month 2)

• Third-party API keys
• Monitoring credentials

Phase 4: LOW PRIORITY (Month 3+)

• Configuration values
• Development secrets

---

⚡ Immediate Actions Required

1. Security Hardening (This Week)

# Verify .gitignore includes all .env files
grep -r "\.env" .gitignore

# Remove backup files with secrets
find . -name ".env.backup*" -type f
# Review and remove if safe

# Remove secrets from documentation
# Replace with placeholders in markdown files

2. HSM Selection (Week 1)

• Review HSM options
• Select solution (recommended: HashiCorp Vault + HSM)
• Procure/configure HSM
• Set up Vault infrastructure

3. Vault Setup (Week 2)

• Install HashiCorp Vault
• Configure HSM backend
• Set up authentication
• Create vault path structure
• Define access policies

4. Begin Migration (Week 3)

• Test migration script (dry-run)
• Migrate Phase 1 secrets
• Update applications
• Verify functionality
• Remove secrets from files

---

📈 Success Metrics

Security Improvements

• ✅ All private keys in HSM (never exported)
• ✅ All API tokens encrypted at rest
• ✅ No secrets in version control
• ✅ No hardcoded secrets in scripts
• ✅ All secret access logged and audited

Operational Improvements

• ✅ Centralized secret management
• ✅ Automated secret rotation
• ✅ Role-based access control
• ✅ Disaster recovery procedures
• ✅ Compliance-ready audit trail

---

🔐 Vault Path Structure

secret/
├── blockchain/
│   ├── private-keys/
│   │   ├── deployer
│   │   ├── validator-1
│   │   └── ...
│   └── contract-addresses/
├── cloudflare/
│   ├── api-tokens/
│   ├── tunnel-tokens/
│   └── origin-ca/
├── infrastructure/
│   ├── npm/
│   ├── proxmox/
│   └── unifi/
├── databases/
│   └── postgres/
└── services/
    ├── jwt/
    └── api-keys/

---

💰 Cost Estimation

Option 1: Cloud HSM (AWS/Azure)

• Monthly Cost: $1,500-3,000
• Pros: Fully managed, high availability
• Cons: Higher cost, vendor lock-in

Option 2: Self-Hosted Vault + Software HSM

• Monthly Cost: $200-500 (infrastructure)
• Pros: Lower cost, full control
• Cons: Requires management

Option 3: On-Premise HSM

• One-Time Cost: $5,000-50,000
• Annual Support: $1,000-5,000
• Pros: Maximum security, no ongoing cloud costs
• Cons: High upfront cost, requires infrastructure

Recommendation: Start with Option 2, migrate to Option 1 or 3 for production.

---

📅 Timeline

Phase	Duration	Activities
Week 1-2	2 weeks	HSM selection, procurement, setup
Week 3-4	2 weeks	Vault installation, configuration
Week 5-6	2 weeks	Phase 1 migration (critical secrets)
Week 7-8	2 weeks	Phase 2 migration (high priority)
Month 2	4 weeks	Phase 3 migration (medium priority)
Month 3+	Ongoing	Phase 4 migration, optimization

Total Estimated Time: 3-4 months for complete migration

---

🛠️ Tools & Scripts

Migration Script

# Dry run (safe, no changes)
./scripts/migrate-secrets-to-vault.sh

# Live migration
DRY_RUN=false ./scripts/migrate-secrets-to-vault.sh

Verification Commands

# List all secrets in Vault
vault kv list secret/

# Read a specific secret
vault kv get secret/blockchain/private-keys/deployer

# Check Vault status
vault status

---

📚 Documentation Index

1. MASTER_SECRETS_INVENTORY.md

   • Complete secrets inventory
   • Detailed migration plan
   • HSM implementation guide

2. SECRETS_QUICK_REFERENCE.md

   • Quick lookup guide
   • Secret locations
   • Action commands

3. REQUIRED_SECRETS_INVENTORY.md

   • Required secrets checklist
   • Service-specific requirements

4. ENV_SECRETS_AUDIT_REPORT.md

   • Security audit results
   • Issues identified
   • Recommendations

---

✅ Next Steps Checklist

Immediate (This Week)

• Review all documentation
• Verify .gitignore coverage
• Remove backup files with secrets
• Document current secret usage

Short-Term (Week 1-2)

• Select HSM solution
• Begin HSM procurement/setup
• Install Vault
• Configure HSM backend

Medium-Term (Week 3-4)

• Create vault structure
• Define access policies
• Test migration script
• Begin Phase 1 migration

Long-Term (Month 2-3)

• Complete all migrations
• Remove secrets from files
• Update all applications
• Implement rotation procedures
• Security audit

---

🆘 Support & Resources

HashiCorp Vault

• Documentation: https://www.vaultproject.io/docs
• HSM Integration: https://www.vaultproject.io/docs/configuration/seal
• Community: https://discuss.hashicorp.com/c/vault

HSM Vendors

• AWS CloudHSM: https://aws.amazon.com/cloudhsm/
• Azure Dedicated HSM: https://azure.microsoft.com/services/azure-dedicated-hsm/
• Thales Luna: https://cpl.thalesgroup.com/encryption/hardware-security-modules
• Utimaco: https://hsm.utimaco.com/

Security Best Practices

• NIST Guidelines: https://csrc.nist.gov/publications
• FIPS 140-2: https://csrc.nist.gov/publications/fips

---

📝 Notes

• All secrets should be rotated after migration
• Maintain backup of encrypted secrets
• Document all access patterns
• Regular security audits recommended
• Keep this documentation updated

---

Last Updated: 2025-01-27
Status: ✅ Discovery Complete
Next Review: After HSM selection