CC Secrets
Overview
Design concepts at https://wiki.coadcorp.com/doc/secrets-management-idea-VGJMey7Wnd
Provide REST API for CRUD to store and retrieve user/password data for logging into devices. Only password is encrypted, via AES256 GCM. Values stored in sqlite database.
Requires JWT token to store/retrieve passwords.
This isn't super secure, probably not even as secure as Hashicorp Vault running in dev mode.
Installation
- Copy binary to chosen location, eg /srv/ccsecrets
- Create .env file in same directory as binary, populate as per Configuration section below
- Create systemd service definition
- Start service
Configuration
| Environment Variable Name | Description | Example | Default |
|---|---|---|---|
| LOG_FILE | Specify the name/path of file to write log messages to | /var/log/ccsecrets.log | ./ccsecrets.log |
| BIND_IP | Specify the local IP address to bind to. | 127.0.0.1 | Primary IPv4 address |
| BIND_PORT | Specify the TCP/IP port to bind to. | 443 | 8443 |
| TLS_KEY_FILE | Specify the filename of the TLS certificate private key (must be unencrypted) in PEM format | key.pem | privkey.pem |
| TLS_CERT_FILE | Specify the filename of the TLS certificate file in PEM format | cert.pem | cert.pem |
| TOKEN_HOUR_LIFESPAN | Number of hours that the JWT token returned at login is valid | 12 | No default specified, must define this value |
| API_SECRET | Secret to use when generating JWT token | 3c55990bd479322e2053db3a8 | No default specified, must define this value |
| INITIAL_PASSWORD | Password to set for builtin Administrator account created when first started, can remove this value after first start. Can specify in plaintext or bcrypt hash | $2a$10$s39a82wrRAdOJVZEkkrSReVnXprz5mxU30ZBO.dHPYTncQCsUD9ce | password |
| SECRETS_KEY | Key to use for AES256 GCM encryption. Must be exactly 32 bytes | AES256Key-32Characters1234567890 | No default specified, must define this value |
Systemd script
Create/update the systemd service definition at /etc/systemd/system/ccsecrets.service and then run systemctl daemon-reload
[Unit]
Description=CC Secrets Service
After=network.target
#StartLimitIntervalSec=0
[Service]
Type=simple
Restart=always
RestartSec=1
User=root
ExecStart=/srv/ccsecrets/ccsecrets
[Install]
WantedBy=multi-user.target
API
User Operations
Register
POST /api/admin/register
Data
{
"UserName": "",
"Password": "",
"RoleId": 2
}
This operation can only be performed by a user with a role that is admin enabled.
Login
POST /api/login
Data
{
"UserName": "",
"Password": ""
}
Secrets Operations
Store
POST /api/secret/store
Data
{
"deviceName": "",
"deviceCategory": "",
"userName": "",
"secretValue": ""
}
Must be logged in to execute this command. Role of current user cannot be a ReadOnly role. Secret will be stored with the RoleId of the currently logged in user. Either deviceName or deviceCategory can be blank but not both.
If a secret exists for this RoleId and matching deviceName and deviceCategory then an error will be generated.
Retrieve
GET /api/secret/retrieve
Data
{
"deviceName": "",
"deviceCategory": ""
}
Must be logged in to execute this command. Only secrets registered with the current user's RoleId can be retrieved.
Either deviceName or deviceCategory can be specified (or both). Wildcards are supported for both deviceName and deviceCategory fields.
- The percent sign % wildcard matches any sequence of zero or more characters.
- The underscore _ wildcard matches any single character.
Update
POST /api/secret/update
Data
{
"deviceName": "",
"deviceCategory": "",
"userName": "",
"secretValue": ""
}
Users with ReadOnly role will receive Forbidden error when calling this API endpoint. The values specified in deviceName and deviceCategory must match exactly one existing secret record for the RoleId of the currently logged in user. Wildcards are supported for deviceName and deviceCategory.