Files

Deploy to Phoenix / deploy (push) Has been cancelled

Details

docs: Ledger Live integration, contract deploy learnings, NEXT_STEPS updates

- ADD_CHAIN138_TO_LEDGER_LIVE: Ledger form done; public code review repo bis-innovations/LedgerLive; init/push commands
- CONTRACT_DEPLOYMENT_RUNBOOK: Chain 138 gas price 1 gwei, 36-addr check, TransactionMirror workaround
- CONTRACT_*: AddressMapper, MirrorManager deployed 2026-02-12; 36-address on-chain check
- NEXT_STEPS_FOR_YOU: Ledger done; steps completable now (no LAN); run-completable-tasks-from-anywhere
- MASTER_INDEX, OPERATOR_OPTIONAL, SMART_CONTRACTS_INVENTORY_SIMPLE: updates
- LEDGER_BLOCKCHAIN_INTEGRATION_COMPLETE: bis-innovations/LedgerLive reference

Co-authored-by: Cursor <cursoragent@cursor.com>

2026-02-12 15:46:57 -08:00

24 KiB

Raw Blame History

Master Secrets Inventory & HSM Key Vault Plan

Last Updated: 2026-01-31
Document Version: 1.0
Status: Active Documentation

Date: 2026-01-31
Status: 🔒 Comprehensive Master List
Last Update: Added Ramps, Exchange (Binance/Kraken/Oanda/FXCM), DeFi credentials
Purpose: Complete inventory of all secrets found across the projects directory and plan for HSM Key Vault migration

Executive Summary

This document provides a comprehensive master list of all secrets discovered across the /home/intlc/projects directory, including:

Secrets in .env files
Hardcoded secrets in scripts
Secrets documented in markdown files
Recommendations for HSM Key Vault storage

Total Secrets Identified: 50+ unique secrets across multiple categories

🔴 CRITICAL SECURITY FINDINGS

Immediate Security Concerns

Private Keys Exposed in Files
- Multiple private keys found in .env files
- Private keys documented in markdown files
- Backup files containing private keys
Hardcoded Secrets in Scripts
- Cloudflare API tokens in shell scripts
- NPM passwords in shell scripts
- Tunnel tokens in installation scripts
Secrets in Documentation
- Private keys documented in markdown files
- Passwords visible in configuration guides
- API keys in example commands

📋 COMPREHENSIVE SECRETS INVENTORY

1. Blockchain/Web3 Secrets

Private Keys (CRITICAL - Highest Priority for HSM)

Secret Name	Location	Value (Partial)	Status	Priority
`PRIVATE_KEY`	`smom-dbis-138/.env`	`0x5373d11ee2cad4ed82b9208526a8c358839cbfe325919fb250f062a25153d1c8`	🔴 Exposed	CRITICAL
`PRIVATE_KEY`	`no_five/.env`	`5373d11ee2cad4ed82b9208526a8c358839cbfe325919fb250f062a25153d1c8`	🔴 Exposed	CRITICAL
`PRIVATE_KEY`	`237-combo/.env`	`5e72443d6f357af402859433b115f5b7394786b2624a7cd7e670256a2467bd14`	🔴 Exposed	CRITICAL
`PRIVATE_KEY`	`loc_az_hci/smom-dbis-138/.env`	`5373d11ee2cad4ed82b9208526a8c358839cbfe325919fb250f062a25153d1c8`	🔴 Exposed	CRITICAL
`PRIVATE_KEY`	`proxmox/smom-dbis-138/services/*/.env`	`0x5373d11ee2cad4ed82b9208526a8c358839cbfe325919fb250f062a25153d1c8`	🔴 Exposed	CRITICAL
`PRIVATE_KEY`	`docs/06-besu/T1_2_CREDENTIALS_VERIFIED.md`	`0x5373d11ee2cad4ed82b9208526a8c358839cbfe325919fb250f062a25153d1c8`	🔴 Documented	CRITICAL

Derived Address: 0x4A666F96fC8764181194447A7dFdb7d471b301C8

Contract Addresses (Semi-Sensitive)

Secret Name	Location	Value	Status
`LINK_TOKEN`	Multiple `.env` files	`0xb7721dD53A8c629d9f1Ba31a5819AFe250002b03`	✅ Public
`CCIP_ROUTER`	Multiple `.env` files	`0x8078A09637e47Fa5Ed34F626046Ea2094a5CDE5e`	✅ Public
`CCIP_FEE_TOKEN`	Multiple `.env` files	`0xb7721dD53A8c629d9f1Ba31a5819AFe250002b03`	✅ Public
`TOKEN_FACTORY`	`proxmox/smom-dbis-138/.env`	`0xEBFb5C60dE5f7C4baae180CA328D3BB39E1a5133`	✅ Public
`TOKEN_REGISTRY_ADDRESS`	`proxmox/smom-dbis-138/.env`	`0x91Efe92229dbf7C5B38D422621300956B55870Fa`	✅ Public

2. Cloudflare Secrets

API Credentials

Secret Name	Location	Value (Partial)	Status	Priority
`CLOUDFLARE_API_TOKEN`	`loc_az_hci/smom-dbis-138/.env`	`CWNCvhFa0EgXsazoUrJyv1CS-ORoiMmgvM0zm47N`	🔴 Exposed	HIGH
`CLOUDFLARE_API_KEY`	`proxmox/.env`	`65d8f07ebb3f0454fdc4e854b6ada13fba0f0`	🔴 Exposed	HIGH
`CLOUDFLARE_API_KEY`	`loc_az_hci/.env`	`x2Kgfb7OI8OEu7SUeUSyLIgVFmvXFd6zV_5ZwGcW`	🔴 Exposed	HIGH
`CLOUDFLARE_API_TOKEN`	`scripts/fix-certbot-dns-propagation.sh`	`JSEO_sruWB6lf1id77gtI7HOLVdhkhaR2goPEJIk`	🔴 Hardcoded	HIGH
`CLOUDFLARE_TUNNEL_TOKEN`	`proxmox/.env`	`sRwHkwQO5HfD6aK0ZzdV8XHsAyG_DLe_KCjv2bRP`	🔴 Exposed	HIGH
`CLOUDFLARE_TUNNEL_TOKEN`	`loc_az_hci/.env`	`sRwHkwQO5HfD6aK0ZzdV8XHsAyG_DLe_KCjv2bRP`	🔴 Exposed	HIGH
`TUNNEL_TOKEN`	`scripts/install-shared-tunnel-token.sh`	`eyJhIjoiNTJhZDU3YTcxNjcxYzVmYzAwOWVkZjA3NDQ2NTgxOTYiLCJ0IjoiMTBhYjIyZGEtOGVhMy00ZTJlLWE4OTYtMjdlY2UyMjExYTA1IiwicyI6IlptRXlOMkkyTVRrdE1EZzFNeTAwTkRBNExXSXhaalF0Wm1KaE5XVmpaVEEzTVdGbCJ9`	🔴 Hardcoded	HIGH
`CLOUDFLARE_ORIGIN_CA_KEY`	`proxmox/.env`	`v1.0-e7109fbbe03bfeb201570275-231a7ddf5c59799f68b0a0a73a3e17d72177325bb60e4b2c295896f9fe9c296dc32a5881a7d23859934d508b4f41f1d86408e103012b44b0b057bb857b0168554be4dc215923c043bd`	🔴 Exposed	HIGH

Zone/Account IDs (Less Sensitive)

Secret Name	Location	Value	Status
`CLOUDFLARE_ACCOUNT_ID`	Multiple `.env` files	`52ad57a71671c5fc009edf0744658196`	⚠️ Semi-Sensitive
`CLOUDFLARE_ZONE_ID`	Multiple `.env` files	Multiple zone IDs	⚠️ Semi-Sensitive
`CLOUDFLARE_EMAIL`	`proxmox/.env`	`pandoramannli@gmail.com`	⚠️ Semi-Sensitive

3. Nginx Proxy Manager (NPMplus) Secrets

Secret Name	Location	Value (Partial)	Status	Priority
`NPM_PASSWORD`	`scripts/create-npmplus-proxy.sh`	`ce8219e321e1cd97bd590fb792d3caeb7e2e3b94ca7e20124acaf253f911ff72`	🔴 Hardcoded	HIGH
`NPM_PASSWORD`	`scripts/nginx-proxy-manager/update-npmplus-proxy-hosts-api.sh`	`ce8219e321e1cd97bd590fb792d3caeb7e2e3b94ca7e20124acaf253f911ff72`	🔴 Hardcoded	HIGH
`NPM_PASSWORD`	`proxmox/.env`	`L@ker$2010`	🔴 Exposed	HIGH
`NPM_EMAIL`	`proxmox/.env`	`nsatoshi2007@hotmail.com`	⚠️ Exposed	MEDIUM
`NPM_EMAIL`	Scripts	`admin@example.org`	⚠️ Hardcoded	MEDIUM

4. UniFi/Omada Network Secrets

Secret Name	Location	Value (Partial)	Status	Priority
`UNIFI_API_KEY`	`docs/04-configuration/UDM_PRO_API_LIMITATIONS.md`	`_6WXEiH2tMDkrO3jKc54SKa53fHZE-Wg`	🔴 Documented	HIGH
`UNIFI_PASSWORD`	Multiple docs	`L@kers2010$$`	🔴 Documented	HIGH
`OMADA_API_KEY`	`proxmox/omada-api/.env`	(check file)	⚠️ Needs Review	MEDIUM
`OMADA_CLIENT_SECRET`	`proxmox/omada-api/.env`	(check file)	⚠️ Needs Review	MEDIUM

5. Database Credentials

Secret Name	Location	Format	Status	Priority
`DATABASE_URL`	`dbis_core/.env`	`postgresql://user:password@host:port/db`	🔴 Contains Password	HIGH
`POSTGRES_PASSWORD`	Various	(check files)	⚠️ Needs Review	HIGH
`DB_PASSWORD`	`explorer-monorepo/deployment/ENVIRONMENT_TEMPLATE.env`	`CHANGE_THIS_SECURE_PASSWORD`	⚠️ Placeholder	MEDIUM

6. Admin Central API (Service-to-Service)

Secret Name	Location	Purpose	Status	Priority
`ADMIN_CENTRAL_API_KEY`	dbis_core, orchestration portal, token-aggregation, multi-chain-execution	Shared secret for Admin Central API (audit append, permission check, audit query). Set in each service that calls dbis_core `/api/admin/central/*`.	⚠️ Document only; use strong random value	HIGH
`DBIS_CENTRAL_URL`	orchestration portal, token-aggregation, multi-chain-execution	Base URL of dbis_core API (e.g. `https://dbis-api.d-bis.org` or `http://localhost:3000`). Required for central audit.	Config	MEDIUM
`ADMIN_JWT_SECRET` or `JWT_SECRET`	orchestration portal	Optional; when set, portal login issues JWT and Bearer token is accepted. Use same as dbis_core for shared auth.	⚠️ Placeholder	MEDIUM

7. JWT/Session Secrets

Secret Name	Location	Status	Priority
`JWT_SECRET`	`explorer-monorepo/deployment/ENVIRONMENT_TEMPLATE.env`	⚠️ Placeholder	MEDIUM
`SESSION_SECRET`	Various	⚠️ Needs Review	MEDIUM

8. Third-Party API Keys

Secret Name	Location	Status	Priority
`ETHERSCAN_API_KEY`	Various `.env.example` files	⚠️ Needs Review	MEDIUM
`METAMASK_API_KEY`	Various	⚠️ Needs Review	MEDIUM
`THIRDWEB_SECRET_KEY`	Various	⚠️ Needs Review	MEDIUM
`TENDERLY_API_KEY`	`impersonator/docs/`	⚠️ Placeholder	LOW

Crypto.com OTC API (DBIS Core Exchange Integration)

Secret Name	Location	Status	Priority
`CRYPTO_COM_API_KEY`	`dbis_core/.env`	⚠️ Required for OTC	MEDIUM
`CRYPTO_COM_API_SECRET`	`dbis_core/.env`	⚠️ Required for OTC	MEDIUM
`CRYPTO_COM_ENVIRONMENT`	`dbis_core/.env`	Optional (`production`/`uat`)	LOW

Purpose: Crypto.com Exchange OTC 2.0 API for institutional OTC trading. See DBIS_CORE_API_REFERENCE.md.

Fiat On/Off Ramps (metamask-integration)

Secret Name	Location	Status	Priority
`MOONPAY_API_KEY`	`metamask-integration/.env`	On-ramp/Off-ramp	MEDIUM
`MOONPAY_SECRET_KEY`	`metamask-integration/.env`	Optional	LOW
`RAMP_NETWORK_API_KEY`	`metamask-integration/.env`	On-ramp/Off-ramp	MEDIUM
`TRANSAK_API_KEY`	`metamask-integration/.env`	On-ramp/Off-ramp	MEDIUM
`TRANSAK_PARTNER_ID`	`metamask-integration/.env`	Optional	LOW
`BANXA_API_KEY`	`metamask-integration/.env`	On-ramp/Off-ramp	MEDIUM
`BANXA_SECRET`	`metamask-integration/.env`	Optional	LOW
`ONRAMPER_API_KEY`	`metamask-integration/.env`	Aggregator	MEDIUM
`STRIPE_SECRET_KEY`	`metamask-integration/.env`	Stripe Crypto Onramp	MEDIUM
`COINBASE_CLIENT_ID`	`metamask-integration/.env`	Coinbase Ramps	MEDIUM
`COINBASE_CLIENT_SECRET`	`metamask-integration/.env`	Coinbase Ramps	MEDIUM
`CYBRID_API_KEY`	`metamask-integration/.env`	Cybrid platform	MEDIUM
`SARDINE_API_KEY`	`metamask-integration/.env`	Sardine Onramp	MEDIUM
`HONEYCOIN_API_KEY`	`metamask-integration/.env`	HoneyCoin Offramp	MEDIUM

FX and Crypto Exchanges (dbis_core)

Secret Name	Location	Status	Priority
`BINANCE_API_KEY`	`dbis_core/.env`	Optional (public ticker works without)	LOW
`BINANCE_API_SECRET`	`dbis_core/.env`	For private endpoints	MEDIUM
`KRAKEN_API_KEY`	`dbis_core/.env`	Optional (public ticker works without)	LOW
`KRAKEN_PRIVATE_KEY`	`dbis_core/.env`	For private endpoints	MEDIUM
`OANDA_API_KEY`	`dbis_core/.env`	Traditional forex	MEDIUM
`OANDA_ACCOUNT_ID`	`dbis_core/.env`	Traditional forex	MEDIUM
`OANDA_ENVIRONMENT`	`dbis_core/.env`	`practice` or `live`	LOW
`FXCM_API_TOKEN`	`dbis_core/.env`	Traditional forex	MEDIUM

DeFi Aggregators (alltra-lifi-settlement)

Secret Name	Location	Status	Priority
`ONEINCH_API_KEY`	`alltra-lifi-settlement/.env`	Higher rate limits	LOW
`PARASWAP_API_KEY`	`alltra-lifi-settlement/.env`	Higher rate limits	LOW
`ZEROX_API_KEY`	`alltra-lifi-settlement/.env`	Higher rate limits	LOW

9. Service-Specific Secrets

Secret Name	Location	Status	Priority
`SITE_MANAGER_API_KEY`	Various docs	⚠️ Placeholder	MEDIUM
`WALLETCONNECT_PROJECT_ID`	Various	⚠️ Needs Review	MEDIUM
`SENTRY_DSN`	Various	⚠️ Optional	LOW
`DATADOG_API_KEY`	Various	⚠️ Optional	LOW

🔐 HSM KEY VAULT MIGRATION PLAN

Overview

An HSM (Hardware Security Module) Key Vault provides the highest level of security for cryptographic keys and secrets. This plan outlines the migration strategy for moving all identified secrets to an HSM-based key vault system.

HSM Key Vault Architecture

Migration Priority Matrix

Phase 1: CRITICAL - Immediate Migration (Week 1-2)

Target Secrets:

All PRIVATE_KEY values (blockchain private keys)
Cloudflare API tokens and keys
Database passwords
NPM passwords

Rationale:

Private keys are the most sensitive assets
API tokens provide broad access
Database credentials protect data integrity

HSM Storage:

Private keys: Store in HSM, never export
API tokens: Encrypted at rest in vault
Passwords: Encrypted with HSM-backed keys

Phase 2: HIGH PRIORITY - Short-Term Migration (Week 3-4)

Target Secrets:

JWT secrets
Session secrets
Service API keys (Omada, UniFi)
Tunnel tokens

Rationale:

Authentication/authorization secrets
Network management credentials
Service integration keys

HSM Storage:

Encryption keys for secrets
Key derivation functions
Secure key rotation

Phase 3: MEDIUM PRIORITY - Medium-Term Migration (Month 2)

Target Secrets:

Third-party API keys
Monitoring credentials
Optional service keys

Rationale:

Lower risk but still sensitive
Can be migrated incrementally
Allows for testing and validation

Phase 4: LOW PRIORITY - Long-Term Migration (Month 3+)

Target Secrets:

Configuration values
Public identifiers
Development-only secrets

Rationale:

Lower security impact
May not require HSM storage
Standard encryption sufficient

HSM Key Vault Implementation Plan

Step 1: HSM Selection & Setup

Recommended: HashiCorp Vault with HSM Backend

Hardware Selection:
- Option A: Cloud HSM (AWS CloudHSM, Azure Dedicated HSM)
- Option B: On-premise HSM (Thales Luna, Utimaco, etc.)
- Option C: Software HSM for development (SoftHSM)

Vault Installation:

# Install HashiCorp Vault
# Configure HSM backend (PKCS#11)
# Set up high availability
# Configure authentication (LDAP, OIDC, etc.)

HSM Integration:
- Configure PKCS#11 library
- Initialize HSM partition
- Create master keys
- Test key operations

Step 2: Secret Organization Structure

Vault Path Structure:

secret/
├── blockchain/
│   ├── private-keys/
│   │   ├── deployer/
│   │   ├── validator-1/
│   │   ├── validator-2/
│   │   └── ...
│   ├── contract-addresses/
│   └── rpc-endpoints/
├── cloudflare/
│   ├── api-tokens/
│   ├── tunnel-tokens/
│   └── zone-ids/
├── infrastructure/
│   ├── proxmox/
│   ├── npm/
│   └── unifi/
├── databases/
│   ├── postgres/
│   └── redis/
├── services/
│   ├── jwt-secrets/
│   ├── api-keys/
│   └── webhooks/
└── third-party/
    ├── etherscan/
    ├── metamask/
    └── ...

Step 3: Secret Migration Process

For Each Secret:

Extract from Current Location

# Read from .env file
# Extract from script
# Document current usage

Store in Vault

# Using Vault CLI
vault kv put secret/blockchain/private-keys/deployer \
  private_key="0x..."

# Or using API
curl -X POST \
  -H "X-Vault-Token: $VAULT_TOKEN" \
  -d '{"data":{"private_key":"0x..."}}' \
  https://vault.example.com/v1/secret/data/blockchain/private-keys/deployer

Update Application Code

# Replace direct file reads with Vault API calls
# Use Vault agent for automatic secret injection
# Update deployment scripts

Verify & Test

# Test secret retrieval
# Verify application functionality
# Check for any hardcoded fallbacks

Remove from Old Location

# Remove from .env files
# Remove from scripts
# Update documentation
# Verify .gitignore

Step 4: Application Integration

Vault Agent (Recommended for Applications):

# vault-agent.hcl
pid_file = "/tmp/vault-agent.pid"

vault {
  address = "https://vault.example.com:8200"
}

auto_auth {
  method "kubernetes" {
    mount_path = "auth/kubernetes"
    config = {
      role = "my-app"
    }
  }
}

template {
  source      = "/etc/secrets/.env.tpl"
  destination = "/etc/secrets/.env"
  perms       = 0600
}

Template File:

# /etc/secrets/.env.tpl
PRIVATE_KEY={{ with secret "secret/data/blockchain/private-keys/deployer" }}{{ .Data.data.private_key }}{{ end }}
CLOUDFLARE_API_TOKEN={{ with secret "secret/data/cloudflare/api-tokens/main" }}{{ .Data.data.token }}{{ end }}

Direct API Integration (For Scripts):

#!/bin/bash
# Get secret from Vault
PRIVATE_KEY=$(vault kv get -field=private_key secret/blockchain/private-keys/deployer)
CLOUDFLARE_TOKEN=$(vault kv get -field=token secret/cloudflare/api-tokens/main)

# Use secrets
cast send ... --private-key "$PRIVATE_KEY"

Step 5: Access Control & Policies

Vault Policies:

# blockchain-deployer.hcl
path "secret/data/blockchain/private-keys/deployer" {
  capabilities = ["read"]
}

path "secret/data/blockchain/contract-addresses/*" {
  capabilities = ["read"]
}

# cloudflare-admin.hcl
path "secret/data/cloudflare/*" {
  capabilities = ["read", "update", "create"]
}

# read-only.hcl
path "secret/data/*" {
  capabilities = ["read"]
}

Role Assignment:

Deployer service: blockchain-deployer policy
DNS automation: cloudflare-admin policy
Monitoring: read-only policy

Step 6: Key Rotation Strategy

Automated Rotation:

Private Keys:
- Generate new key in HSM
- Update contract ownership
- Archive old key (encrypted)
- Update all references
API Tokens:
- Create new token
- Update in Vault
- Update applications
- Revoke old token after grace period
Passwords:
- Generate new password
- Update in Vault
- Rotate database passwords
- Update connection strings

Rotation Schedule:

Private keys: Annually (or on compromise)
API tokens: Quarterly
Passwords: Quarterly
JWT secrets: Monthly

Security Best Practices

1. HSM Configuration

FIPS 140-2 Level 3+ certification
Multi-factor authentication for HSM access
Key escrow and backup procedures
Audit logging for all key operations
Physical security for on-premise HSMs

2. Vault Configuration

TLS encryption for all connections
Seal/unseal key management (Shamir or HSM)
High availability with multiple nodes
Regular backups of Vault data
Network isolation for Vault cluster

3. Access Control

Principle of least privilege
Role-based access control (RBAC)
Time-bound access tokens
IP whitelisting for API access
Regular access reviews

4. Monitoring & Auditing

All secret access logged
Failed access attempts alerted
Regular security audits
Compliance reporting
Anomaly detection

Migration Checklist

Pre-Migration

Select HSM solution
Set up HSM infrastructure
Install and configure Vault
Create vault path structure
Define access policies
Set up authentication methods
Test HSM connectivity
Create backup procedures

Migration Execution

Phase 1: Migrate private keys
Phase 1: Migrate Cloudflare secrets
Phase 1: Migrate database passwords
Phase 1: Migrate NPM passwords
Phase 2: Migrate JWT secrets
Phase 2: Migrate service API keys
Phase 3: Migrate third-party keys
Phase 4: Migrate remaining secrets

Post-Migration

Remove secrets from .env files
Remove hardcoded secrets from scripts
Update documentation
Verify .gitignore
Test all applications
Set up monitoring
Document procedures
Train team on Vault usage

Cost Estimation

Cloud HSM Options

AWS CloudHSM:

Hardware: ~$1,500/month per HSM
Data transfer: Standard AWS rates
Total: ~$1,500-3,000/month (2 HSMs for HA)

Azure Dedicated HSM:

Hardware: ~$1,200/month per HSM
Total: ~$2,400/month (2 HSMs for HA)

HashiCorp Vault (Self-Hosted):

Infrastructure: Varies (VM costs)
HSM integration: PKCS#11 library (free)
Total: ~$200-500/month (infrastructure only)

On-Premise HSM

Hardware: $5,000-50,000 (one-time)
Support: $1,000-5,000/year
Infrastructure: Existing or minimal

Timeline

Week 1-2: HSM selection, procurement, setup
Week 3-4: Vault installation, configuration, testing
Week 5-6: Phase 1 migration (critical secrets)
Week 7-8: Phase 2 migration (high priority)
Month 2: Phase 3 migration (medium priority)
Month 3+: Phase 4 migration (low priority), optimization

Risk Mitigation

Backup Strategy:
- Encrypted backups of all secrets
- Multiple backup locations
- Regular restore testing
Disaster Recovery:
- HSM replication
- Vault cluster across regions
- Documented recovery procedures
Gradual Migration:
- Migrate in phases
- Maintain old system during transition
- Rollback procedures
Testing:
- Test in development first
- Staged production rollout
- Monitor for issues

📊 SECRETS SUMMARY BY CATEGORY

By Priority

CRITICAL: 6 secrets (private keys)
HIGH: 15 secrets (API tokens, passwords)
MEDIUM: 20 secrets (service keys, JWT)
LOW: 10+ secrets (optional, config)

By Location

.env files: 30+ secrets
Scripts: 10+ hardcoded secrets
Documentation: 5+ documented secrets
Templates: 10+ placeholder secrets

By Type

Private Keys: 6 unique keys
API Tokens: 8 unique tokens
Passwords: 5 unique passwords
API Keys: 10+ keys
Configuration: 20+ values

🔄 NEXT STEPS

Immediate Actions:
- Review this inventory
- Verify .gitignore for all .env files
- Remove backup files with secrets
- Document current secret locations
Short-Term (Week 1-2):
- Select HSM solution
- Begin HSM setup
- Install Vault
- Create migration plan
Medium-Term (Month 1):
- Begin Phase 1 migration
- Update applications
- Remove secrets from files
- Set up monitoring
Long-Term (Month 2-3):
- Complete all migrations
- Optimize access patterns
- Implement rotation
- Security audit

Last Updated: 2025-01-27
Status: 🔒 Master Inventory Complete
Next Review: After HSM selection

24 KiB Raw Blame History

Master Secrets Inventory & HSM Key Vault Plan

Executive Summary

🔴 CRITICAL SECURITY FINDINGS

Immediate Security Concerns

📋 COMPREHENSIVE SECRETS INVENTORY

1. Blockchain/Web3 Secrets

Private Keys (CRITICAL - Highest Priority for HSM)

Contract Addresses (Semi-Sensitive)

2. Cloudflare Secrets

API Credentials

Zone/Account IDs (Less Sensitive)

3. Nginx Proxy Manager (NPMplus) Secrets

4. UniFi/Omada Network Secrets

5. Database Credentials

6. Admin Central API (Service-to-Service)

7. JWT/Session Secrets

8. Third-Party API Keys

Crypto.com OTC API (DBIS Core Exchange Integration)

Fiat On/Off Ramps (metamask-integration)

FX and Crypto Exchanges (dbis_core)

DeFi Aggregators (alltra-lifi-settlement)

9. Service-Specific Secrets

🔐 HSM KEY VAULT MIGRATION PLAN

Overview

HSM Key Vault Architecture

Recommended Solutions

Migration Priority Matrix

Phase 1: CRITICAL - Immediate Migration (Week 1-2)

Phase 2: HIGH PRIORITY - Short-Term Migration (Week 3-4)

Phase 3: MEDIUM PRIORITY - Medium-Term Migration (Month 2)

Phase 4: LOW PRIORITY - Long-Term Migration (Month 3+)

HSM Key Vault Implementation Plan

Step 1: HSM Selection & Setup

Step 2: Secret Organization Structure

Step 3: Secret Migration Process

Step 4: Application Integration

Step 5: Access Control & Policies

Step 6: Key Rotation Strategy

Security Best Practices

1. HSM Configuration

2. Vault Configuration

3. Access Control

4. Monitoring & Auditing

Migration Checklist

Pre-Migration

Migration Execution

Post-Migration

Cost Estimation

Cloud HSM Options

On-Premise HSM

Timeline

Risk Mitigation

📊 SECRETS SUMMARY BY CATEGORY

By Priority

By Location

By Type

🔄 NEXT STEPS

📚 RELATED DOCUMENTATION

24 KiB

Raw Blame History