For my homelab CoreOS config that I store publicly with git I've been wondering what to do about secrets. :blobfox3c:
For the containers at least I'm thinking
- Use Podman secrets when possible
- Script to setup the Podman secrets through bitwarden cli
Problem is, I will host Bitwarden on the host that will initially not have any secrets. Shouldn't be an issue as Bitwarden can manage without a secret, but still a limitation that needs to be solved separately. :blobfoxthink:
Don't really wanna store secrets through git but would like to have an offline solution if possible. Generating the secrets could be possible, at least for initial setup, but then I wanna be able to access the secrets easily too :blobfoxnotlikethis:
So much thinking
#coreos #containers #podman #gitops #security #secretmanagement
#SecretManagement
🚀🎉 Hold the presses! #OpenBao adds "Namespaces" to its secret manager, enabling isolated environments for your secrets. 🤔 Finally, a solution to the problem of "Where did I put my secrets again?" 😅 Thanks, OpenBao, for making secret management feel like a game of hide-and-seek with a twist! 🙄🔍
https://openbao.org/blog/namespaces-announcement/ #Namespaces #SecretManagement #IsolatedEnvironments #CyberSecurity #HackerNews #ngated
"The 18-point secrets management checklist"
https://www.hashicorp.com/en/blog/the-18-point-secrets-management-checklist
....aaaaaand #OpenBao (the fork of #Hashicorp #Vault) is on its way to @opensuse #Tumbleweed in the latest version 2.2.1. Since 2.2.0 the webui is included in OpenBao, so this can be a full replacement for Vault!
Looking forward to doing more testing with it!
In case you want to try it out, here is a #vagrant #libvirt setup using #Ansible to prepare an OpenBao server VM and a client using a secret.
https://codeberg.org/johanneskastl/openbao_vagrant_libvirt_ansible
GitHub is shaking up code security after 39 million secrets leaked—now every team can access standalone tools backed by AI and major cloud partners. Curious how this could reshape digital protection?
https://thedefendopsdiaries.com/githubs-security-tools-expansion-a-new-era-in-software-protection/
#githubsecurity
#softwareprotection
#secretmanagement
#cybersecuritytools
#infosec
Video Intro to Secret Management with PowerShell http://dlvr.it/TJF0J3 via PlanetPowerShell #PowerShell #SecretManagement #Microsoft #Automation
@nixos_org 🎉 took me 12 days to finally understand how this works & setup but I finally got a working secret management config! Check this out https://codeberg.org/dminca/nix-config/src/branch/main/secrets/example.yaml
#security #secretManagement #nix #nixDarwin #x86_64darwin #aarm64darwin
First @nixos_org challenge by the course of a month trying to get acquainted with #nix : secret management .
Seems there’s absolutely no ‘batteries-included’ way to have this implemented the proper way, instead people have to come up with their own ‘hacks’ so-to-speak to get something feasible working…
#nixos #nix #secretManagement #encryption #security #x86_64darwin #aarm64darwin
Wrote a blog post on AzCopy
Azure Blob Storage Sync with AzCopy
Learn to sync files with AzCopy & store credentials securely :
I just wrote a new blog post, Preventing Secrets in Code! #appsec #secrets #secretmanagement
https://shehackspurple.ca/2023/04/10/preventing-secrets-in-code/
I‘m happy to announce the publication of my #PowerShell template module for #SecretManagement Extensions on GitHub. It enables the fast creation of new SecretManagement Extensions, including many best practices and (most important) a ReadMe which describes all pitfalls I’ve fallen into and the tricks to avoid this. All learned the hard way creating SecretManagement.NetwrixPasswordSecure 😋. If only one new extension based on the template is created the work was worth it.
https://github.com/Callidus2000/SecretManagement.ExtensionTemplate
Is there an 'easy' way to call private #PowerShell functions from nested modules?
I've got my module A with the nested module B. Now I've got a function (f) which is needed/usable from both A&B but makes no sense as a public function. Currently I've made it available as public A\f and can access it from everywhere.
And the answer 'don't use nested modules' is sadly not acceptable as this is the design pattern for #SecretManagement extensions 😒
A few weeks ago I anounced tht I’m working on a #PowerShell extension of the #SecretManagement module for support of #Netwrix #PasswordSecure solution (formely known as #Mateso #PasswordSafe).
Today I’ve released v1.0.0 to the PowerShellGallery and to github. I’d appreciate any kind of feedback.
Special prerequisite of this extension: you need the .NET SDK DLLs which get provided by the vendor to enterprise customers.
https://github.com/Callidus2000/SecretManagement.NetwrixPasswordSecure
@AndrewPlaTech
My short time #PowerShell goals are:
1) Complete my #NetwrixPasswordSecure #SecretManagement module for public usage.
2) Spread some insights about how PS automation can save the day (internal company TechDay)
3) Use my Fortigate Manager module to clean up our internal firewalls
Lets try the poll feature of my new preferred social platform 😋
I’m currently developing a #Powershell #SecretManagement extension module for #Netwrix #PasswordSecure, formerly #Mateso #PasswordSafe. If released to the gallery the user would have to provide/side load DLLs which are only available for Enterprise customers.
Would such a module be of interest? Otherwise it will stay in-house.
@DoctorDNS not a dll just a script based Powershell Module.
Got 3 Workarounds now, mixing them gets me up and running:
1. Test the code directly without #SecretManagement
2. Using the RestartableSession module (my fav)
3. Use the rss command from PSModuleDevelopment
@jaykul
Thanks for the reference, I'll take a deep look at your module.
Currently I'm moving to @mdgrs module solution. It's was quite easy to test the extension commands directly by importing it with a prefix. But then I've tested it from #SecretManagement and wanted to cry.... The AdditionalParameters HashTable which is automatically provided is case sensitive regarding the keys. I tend to call this nonsense and will open an issue in the main repo for this.
@mdgrs It is possible but cumbersome... Some aspects has to be emulated/mocked as they would be normally be handled by #SecretManagement. Currently I'm not really convinced if the speed benefit is enough to "Temp-Ignore" your module approach.
@jaykul Hi, thanks, I've missed the obvious... And now I've got a usage for the 'Prefix' param of Import-Module: Coding a 'Get-Secret' and testing with 'Get-PWSSecret', nice.
While this will be my current workaround for initial dev I'll switch over to @mdgrs #powershell solution https://github.com/mdgrs-mei/RestartableSession which works perfect even if testing the Extension through #SecretManagement.
@callidus2000 in my personal opinion, the extension mechanism in #PowerShell #SecretManagement is the most frustrating way that they could possibly have implemented extensions. I hate almost everything about it, from the way you have to hide your module in another module, to the way it loads your module in a nested PSSession in their C# module.
In short, avoid testing _through_ SecretManagement, and test by directly loading your module.