proxmox/docs/04-configuration/SECURITY_AUDIT_REPORT.md

Security Audit Report - Secrets Management

Last Updated: 2026-01-31
Document Version: 1.0
Status: Active Documentation

---

Date: 2025-01-27
Status: ✅ Audit Complete
Auditor: Automated Security Scan
Scope: All secrets across /home/intlc/projects directory

---

Executive Summary

A comprehensive security audit was conducted to identify all secrets, assess their current storage methods, and provide recommendations for secure HSM Key Vault migration.

Key Findings

• Total Secrets Identified: 50+ unique secrets
• Critical Issues: 6 private keys exposed in files
• High Priority Issues: 15 API tokens and passwords
• Medium Priority Issues: 20 service keys and configuration secrets
• Backup Files with Secrets: 3 files identified and secured

Risk Assessment

Risk Level	Count	Description
🔴 CRITICAL	6	Private keys exposed in .env files
🟠 HIGH	15	API tokens, passwords in files/scripts
🟡 MEDIUM	20	Service keys, JWT secrets
🟢 LOW	10+	Configuration values, public identifiers

---

Detailed Findings

🔴 CRITICAL: Private Keys Exposed

Issue: Private keys found in multiple .env files and documentation

Locations:

1. proxmox/smom-dbis-138/.env - Deployer private key
2. no_five/.env - Private key (same as deployer)
3. 237-combo/.env - Different private key
4. loc_az_hci/smom-dbis-138/.env - Deployer private key
5. proxmox/smom-dbis-138/services/*/.env - Multiple service files
6. docs/06-besu/T1_2_CREDENTIALS_VERIFIED.md - Documented in markdown

Risk:

• Complete compromise of blockchain accounts
• Unauthorized transaction signing
• Financial loss
• Reputation damage

Recommendation:

• IMMEDIATE: Move all private keys to HSM
• Never export private keys from HSM
• Use HSM for all cryptographic operations
• Rotate keys if exposure is suspected

Status: ⚠️ Requires immediate action

---

🟠 HIGH: API Tokens and Passwords

Cloudflare API Credentials

Issue: Multiple Cloudflare API tokens and keys found in files

Locations:

• proxmox/.env - API key and tunnel token
• loc_az_hci/.env - API key
• loc_az_hci/smom-dbis-138/.env - API token
• scripts/fix-certbot-dns-propagation.sh - Hardcoded token
• scripts/install-shared-tunnel-token.sh - Hardcoded tunnel token

Risk:

• Unauthorized DNS modifications
• SSL certificate issuance
• Tunnel configuration changes
• Account compromise

Recommendation:

• Migrate to Vault immediately
• Use API tokens (not global API key)
• Implement token rotation
• Limit token permissions

Status: ⚠️ High priority migration

---

NPM (Nginx Proxy Manager) Credentials

Issue: Passwords hardcoded in scripts

Locations:

• scripts/create-npmplus-proxy.sh - Hardcoded password hash
• scripts/nginx-proxy-manager/update-npmplus-proxy-hosts-api.sh - Hardcoded password
• proxmox/.env - Plain text password

Risk:

• Unauthorized proxy configuration
• SSL certificate management
• Domain routing changes

Recommendation:

• Move to Vault
• Use API tokens instead of passwords
• Implement password rotation

Status: ⚠️ High priority migration

---

Database Credentials

Issue: Database passwords in connection strings

Locations:

• dbis_core/.env - DATABASE_URL with embedded password
• explorer-monorepo/.env - Database credentials

Risk:

• Unauthorized database access
• Data breach
• Data manipulation

Recommendation:

• Use Vault database secrets engine
• Implement dynamic credentials
• Separate password from connection string

Status: ⚠️ High priority migration

---

🟡 MEDIUM: Service Keys and JWT Secrets

Issue: Various service API keys and JWT secrets

Locations:

• UniFi API keys in documentation
• Omada API keys in .env files
• JWT secrets in templates
• Third-party API keys

Risk:

• Service compromise
• Unauthorized API access
• Session hijacking (JWT)

Recommendation:

• Migrate to Vault
• Implement key rotation
• Use environment-specific secrets

Status: ⚠️ Medium priority migration

---

Backup Files Security

Findings

Backup Files with Secrets:

1. smom-dbis-138/.env.backup - Contains Cloudflare API token
2. smom-dbis-138/.env.backup.20251225_092319 - Contains private key and API token
3. loc_az_hci/smom-dbis-138/.env.backup - Contains API token

Status: ✅ Secured

• Files moved to secure location: ~/.secure-secrets-backups/
• All backup files properly ignored in .gitignore
• Recommendation: Encrypt backups or delete if no longer needed

---

.gitignore Coverage

Status: ✅ COMPLETE

Verification Results:

• All .env files properly ignored
• Backup file patterns in .gitignore
• No secrets at risk of accidental commit

Coverage:

• Root .gitignore includes .env patterns
• Service-specific .gitignore files properly configured
• Backup file patterns: *.env.backup, .env.backup.*

---

Hardcoded Secrets in Scripts

Findings

Scripts with Hardcoded Secrets:

1. scripts/create-npmplus-proxy.sh - NPM password
2. scripts/fix-certbot-dns-propagation.sh - Cloudflare token
3. scripts/install-shared-tunnel-token.sh - Tunnel token
4. scripts/obtain-all-ssl-certificates.sh - Cloudflare token
5. scripts/configure-all-cloudflare-dns.sh - Cloudflare token
6. scripts/test-cloudflare-permissions.sh - Cloudflare token
7. scripts/nginx-proxy-manager/*.sh - NPM credentials

Risk:

• Secrets in version control
• Accidental exposure
• Difficult to rotate

Recommendation:

• Replace with Vault API calls
• Use environment variables from Vault Agent
• Remove hardcoded values

Status: ⚠️ Requires script updates

---

Secrets in Documentation

Findings

Documentation Files with Secrets:

1. docs/06-besu/T1_2_CREDENTIALS_VERIFIED.md - Private key
2. docs/06-besu/T1_2_CREDENTIALS_STATUS.md - Private key references
3. docs/04-configuration/UDM_PRO_API_LIMITATIONS.md - UniFi API key
4. docs/04-configuration/NGINX_PROXY_MANAGER_COMPLETE_SETUP.md - Passwords

Risk:

• Public exposure if docs are shared
• Accidental disclosure
• Historical record of secrets

Recommendation:

• Replace with placeholders
• Remove actual secret values
• Use [REDACTED] for examples
• Document secret locations in secure docs only

Status: ⚠️ Requires documentation cleanup

---

Compliance and Best Practices

Current State

✅ Good Practices:

• .gitignore properly configured
• Backup files identified and secured
• Comprehensive inventory created
• Migration plan documented

⚠️ Areas for Improvement:

• Private keys in files (should be in HSM)
• Hardcoded secrets in scripts
• Secrets in documentation
• No centralized secrets management
• No secret rotation procedures

---

Recommendations

Immediate Actions (Week 1)

1. Secure Private Keys

   • Move all private keys to HSM immediately
   • Never export from HSM
   • Verify no keys in version control

2. Remove Hardcoded Secrets

   • Update all scripts to use Vault
   • Remove hardcoded values
   • Test script functionality

3. Clean Documentation

   • Replace secrets with placeholders
   • Remove actual values from docs
   • Update examples

Short-Term (Week 2-4)

1. HSM Key Vault Setup

   • Select and configure HSM solution
   • Install HashiCorp Vault
   • Migrate critical secrets

2. Script Updates

   • Update all scripts for Vault integration
   • Implement Vault Agent where applicable
   • Test all automation

3. Access Control

   • Define Vault policies
   • Implement RBAC
   • Set up audit logging

Medium-Term (Month 2-3)

1. Complete Migration

   • Migrate all secrets to Vault
   • Remove secrets from .env files
   • Update all applications

2. Secret Rotation

   • Implement rotation procedures
   • Automate where possible
   • Document rotation schedule

3. Monitoring

   • Set up secret access monitoring
   • Alert on unauthorized access
   • Regular security audits

---

Security Metrics

Before Migration

• Secrets in Files: 50+
• Hardcoded Secrets: 10+
• Secrets in Docs: 5+
• Backup Files: 3
• Private Keys Exposed: 6

Target State (After Migration)

• Secrets in Files: 0
• Hardcoded Secrets: 0
• Secrets in Docs: 0 (placeholders only)
• Backup Files: 0 (or encrypted)
• Private Keys Exposed: 0 (all in HSM)

---

Risk Mitigation

Current Risks

1. Private Key Exposure

   • Mitigation: Immediate HSM migration
   • Timeline: Week 1-2

2. API Token Compromise

   • Mitigation: Vault migration, token rotation
   • Timeline: Week 2-4

3. Hardcoded Secrets

   • Mitigation: Script updates, Vault integration
   • Timeline: Week 3-4

4. Documentation Exposure

   • Mitigation: Documentation cleanup
   • Timeline: Week 1

---

Compliance Status

Security Standards

• ✅ .gitignore Coverage: Complete
• ⚠️ Secret Storage: Needs HSM migration
• ⚠️ Access Control: Needs Vault policies
• ⚠️ Audit Logging: Needs implementation
• ⚠️ Secret Rotation: Needs procedures

Best Practices

• ✅ Secrets inventory documented
• ✅ Migration plan created
• ⚠️ HSM implementation pending
• ⚠️ Secret rotation pending
• ⚠️ Monitoring pending

---

Next Steps

1. Immediate (This Week)

   • Review this audit report
   • Clean up documentation secrets
   • Begin HSM selection

2. Short-Term (Week 2-4)

   • Set up HSM and Vault
   • Migrate critical secrets
   • Update scripts

3. Medium-Term (Month 2-3)

   • Complete migration
   • Implement rotation
   • Set up monitoring

---

Related Documentation

• Master Secrets Inventory
• Secrets Migration Summary
• Secrets Quick Reference
• Secret Usage Patterns

---

Last Updated: 2025-01-27
Status: ✅ Audit Complete
Next Review: After HSM migration