Securing API Keys

I’m curious to know what customers strategies are for managing and protecting the API keys used to access secrets protected by DAP/Conjur.

When developers ask what the value of exchanging a clear text password for a clear text API key we can certainly offer the explanation that when integrated with EPV we are able to perform rotations but I’ve seen this not be truly satisfying to some people. If one compromised the key then they would be able to expose all passwords.

Do you combine this with AIM? Do you use encryption on scripts? Any assistance would be appreciated :slight_smile:

Hi @Mitch :slight_smile:

If the API key is a key for a developer user of the system, then they should store the key in their own local keystore (which might be their OSX keyring or software like LastPass).

If you’re speaking instead about application identities, depending on the system the application is deployed to we have a variety of integrations available. With these integrations we’re aiming to solve the secret zero problem by using native system attributes to verify the app identity and get it access to the secrets it needs.

It’s worth also noting, regarding your comment

If one compromised the key then they would be able to expose all passwords.

it’s always best practice to only entitle your applications / users to access the secrets that they need, and nothing more. That is, you should be applying the principle of least privilege to your application entitlements to ensure that even in the event of a breach, the attacker would not have access to all passwords.

Hope that helps to clarify this - and if you have any questions about specific integrations, please let us know. Thanks!

2 Likes

Hi Geri,

I’m totally on board with the least privilege approach! This definitely limits the blast radius and is something we always strive to enforce.

That being said I’m sure you can understand the conversations that occur when developers get wise to the fact that they are exchanging one hard coded secret in their code/script for another hard coded secret.

Secretless is a really cool concept and I’d love to see how things develop. It would be great if future releases of DAP/Conjur was able to do auth like AIM/AAM does (ip, hash, os user etc). I think there is a lot of value to be had by combining both technologies.

3 Likes