Secrets Management
Secrets Management allows you to securely store and manage sensitive credentials such as passwords, API keys, certificates, and other confidential information. This section will guide you through understanding and using the secrets management features.
Overview
STATUS provides a secure secrets vault for storing sensitive data:
- Encrypted Storage: All secrets are encrypted at rest
- Access Control: Fine-grained access control for secrets
- Audit Logs: Track who accessed which secrets and when
- Secret Versioning: Keep track of secret versions and history
- Secure Retrieval: Secrets are retrieved securely without exposing them
Figure 1: Secrets management architecture.
Secrets are never displayed in plain text after creation. Take care to copy values when creating secrets, as you won't be able to see them again.
Create a Secret
To create a new secret:
- Navigate to the Secrets section from main navigation
- Click the Create Secret button
- Fill in the secret details:
- Name: A descriptive name for the secret
- Description: What the secret is used for
- Type: Secret type (Password, API Key, Certificate, etc.)
- Value: The secret value (only shown during creation)
- Scope: Optional scope for organizing secrets
- Click Save to create the secret
Figure 2: Create secret form.
Make sure to copy the secret value immediately after creation. Once saved, the value cannot be retrieved.
View Secrets
Once created, you can view your secrets in the Secrets page:
- Name: The secret's name
- Type: The type of secret (Password, API Key, etc.)
- Description: The secret's description
- Scope: The scope the secret belongs to (if any)
- Created At: When the secret was created
- Last Used: When the secret was last accessed
Figure 3: Secrets list view.
Secret Types
STATUS supports various secret types:
Passwords
Simple password secrets for authentication:
- Use Cases: Database passwords, system accounts, service accounts
- Security: Stored with strong encryption
- Validation: Optional password strength validation
API Keys
API keys for external service authentication:
- Use Cases: Cloud provider credentials, third-party API access
- Format: Can be any string format
- Expiration: Optional expiration dates
Certificates
SSL/TLS certificates and keys:
- Use Cases: HTTPS certificates, client certificates
- Format: PEM format supported
- Chain: Can include certificate chains
SSH Keys
SSH key pairs for secure access:
- Use Cases: Server access, Git authentication
- Format: Supported formats include RSA, ECDSA, Ed25519
- Passphrase: Optional passphrase protection
Custom
Custom secret types for specialized needs:
- Use Cases: Application-specific secrets
- Format: Any format you need
- Validation: Custom validation rules
Manage Secrets
Once created, you can manage your secrets:
Edit Secret
To edit a secret:
- Navigate to the Secrets section
- Click the Edit button next to the secret
- Update the secret details (except value)
- Click Save to update
You cannot view or edit the secret value. To update a secret value, you must create a new version.
Update Secret Value
To update a secret's value:
- Navigate to the Secrets section
- Click the Update Value button next to the secret
- Enter the new value
- Optionally add a reason for the update
- Click Save to create a new version
Figure 4: Update secret value form.
Delete Secret
To delete a secret:
- Navigate to the Secrets section
- Click the Delete button next to the secret
- Confirm the deletion
- The secret will be permanently removed
Deleting a secret cannot be undone. Make sure you have backups or alternatives before deletion.
Secret Versioning
STATUS keeps track of secret versions to maintain history and enable rollback if needed.
View Versions
To view a secret's version history:
- Navigate to the Secrets section
- Click on the secret name
- View the list of all versions:
- Version Number: Sequential version identifier
- Created At: When this version was created
- Created By: Who created this version
- Reason: Reason for the update (if provided)
Figure 5: Secret version history.
Rollback Version
To rollback to a previous version:
- View the secret's version history
- Click the Rollback button next to the desired version
- Confirm the rollback
- The previous version becomes the current version
Rolling back creates a new version that copies the old value. Version history is preserved.
Access Control
Secrets are protected by access control to ensure only authorized users can access them.
Secret Scopes
Secrets can be organized into scopes for better access control:
- Global: Secrets accessible by all authorized users
- Environment: Secrets scoped to specific environments (production, staging, etc.)
- Service: Secrets scoped to specific services
- Custom: Custom scopes as needed
Permission Levels
Different users have different levels of access:
- USER: Can view secrets they have access to
- DEVELOPER: Can create and update secrets within their scopes
- ADMIN: Full access to all secrets
Secret Usage in STATUS
Secrets are used in various parts of STATUS:
Datasources
Datasources can reference secrets for authentication:
- Database Credentials: Use secret for database password
- API Keys: Use secret for external API authentication
- Certificates: Use secret for client certificates
Figure 6: Using secrets in datasource configuration.
Node-RED Flows
Node-RED flows can retrieve secrets securely:
- Flow Credentials: Use secrets for flow credentials
- Environment Variables: Use secrets for environment variables
- Dynamic Retrieval: Retrieve secrets at runtime
Mashups
Mashups can reference secrets for secure access:
- Authentication: Use secrets for authentication to external systems
- Encrypted Data: Use secrets for encryption/decryption
Security Features
STATUS implements multiple security features for secrets:
Encryption at Rest
All secrets are encrypted using industry-standard encryption:
- Algorithm: AES-256 encryption
- Key Management: Secure key management
- Rotation: Regular key rotation
Encryption in Transit
Secrets are transmitted securely:
- TLS: All communications use TLS encryption
- Certificate Validation: Strict certificate validation
- Secure Channels: Secure channels for secret retrieval
Audit Logging
All secret access is logged:
- Access Logs: Who accessed which secrets and when
- Creation Logs: Who created which secrets
- Update Logs: Who updated which secrets
- Deletion Logs: Who deleted which secrets
Figure 7: Secret access audit logs.
Secure Retrieval
Secrets are retrieved securely:
- No Display: Secrets are never displayed after creation
- Temporary Access: Secrets are available only when needed
- Auto-Expiration: Temporary access tokens expire automatically
- Secure Memory: Secrets are stored securely in memory
Best Practices
Follow these best practices for effective secrets management:
- Unique Secrets: Use unique secrets for different purposes
- Strong Passwords: Use strong, complex passwords
- Regular Rotation: Rotate secrets regularly
- Least Privilege: Grant minimum necessary access
- Audit Regularly: Regularly review audit logs
- Document Usage: Document what each secret is used for
- Backup: Keep secure backups of critical secrets
- Version Control: Use versioning to track changes
Effective secrets management is critical for security. Invest time in understanding the features and following best practices.
Troubleshooting
Secret Not Working
If a secret isn't working as expected:
- Verify the secret value is correct
- Check the secret hasn't expired
- Ensure the secret has the right scope
- Verify the referencing component has access to the secret
Cannot Access Secret
If you cannot access a secret:
- Verify you have the necessary permissions
- Check the secret is in an accessible scope
- Ensure the secret hasn't been deleted
- Contact your administrator if you believe you should have access
If you suspect a secret has been compromised, rotate it immediately and check audit logs for suspicious activity.