Presently in the unified deployment, database credentials have to be supplied as an environmental variable. Given the sensitive nature of that data it would be useful to be able to use dynamic credentials – ones that change during runtime.
Then a system such as Hashicorp Vault could be used to lease ephemeral credentials to a particular instance of the application, and those could automatically rotate every X period (such as hourly/daily).
This provides for a more secure database configuration and reduces the need to have long-lived database credentials without having to incur a downtime to restart the process.
ENV variables cannot be changed once started. A mechanism to read the credentials out of a local file whenever the file changes would do it.
Of course native Vault integration would be best, but that ties you in to Vault directly.
I definitely agree there are better ways to set up sensitive credentials such as for databases and the like without having to have them in plain-text, have you looked into Docker Secrets manager?
I haven’t yet checked to see if this would be a compatible method of management but I know there are multiple ways users or docker are able to manage storage or secure credentials but this may be one that can help.
That mechanism helps seperate the container definition and secret, but of course it is still plain-text within the container (otherwise the app couldn’t read it).
Also:
Note: After you create a secret, you cannot update it . You can only remove and re-create it, and you cannot remove a secret that a service is using.
That doesn’t provide any mechanism for rotating the secret. In order to have any hope of live-rotation the application needs to be able to read updated creds at runtime. Once the app can reload creds at runtime there are any number of ways to provide / rotate them.
Ahhh bummer to hear then that this would not function as required
I am becoming familiar with secrets management, Azure Key Vault and have been recommended Hashicorp Vault as well being a good open-source solution, but haven’t yet gotten much experience with it just yet.
Hopefully, your request is something that will gain traction as a security focused company I believe it’s best for Bitwarden to push for best practices where they can.
