Project

General

Profile

User story #10309

Store sensitive data in Rudder

Added by Avit Sidis over 1 year ago. Updated 8 months ago.

Status:
Discussion
Priority:
N/A
Assignee:
-
Category:
Security
Target version (plugin):
Suggestion strength:
User visibility:
Effort required:
Pull Request:

Description

Rudder already provide some ways to hash password in the user directive but I'd like to know what is the best way to store sensitive data in Rudder. A scenario I'm thinking of is a tool configuration that needs to connect to a centralized server using specific credentials (user+password). I'd like to avoid these sensitive data to be viewed by all rudder operators in my company.

Accroding to me here are 2 options available today(Rudder 4.0.2):
  • store sensitive data on the share space in rudder server
    • + not visible in clear in the interface
    • - hard to update (can't be done via rudder interface)
    • - stored in clear at server side
  • encode sensitive data and use javascript code to decode them in directives
    • + not visible in clear in the interface
    • + can be edited via rudder web interface
    • - can be decodable (so retrieved via rudder interface)

Some other tools I use to work with have a concept called "Secured Variables" (stored encrypted in the database with a key configured in the server) and it could be a great to have this kind of concept in Rudder too (maybe in global parameters ?). An even more better solution could be an integration with Secret management tools like Hashicorp Vault.

If there is no better solution than the ones I thought, I hope that I give you at least some ideas for future Rudder releases :-)

Thanks in advance

History

#1 Updated by Benoît PECCATTE over 1 year ago

  • Category set to Security

#2 Updated by Benoît PECCATTE over 1 year ago

  • Status changed from New to Discussion

You're right that those are the solutions.
Note that in the case of the shared-files directory, it can be a mountpoint to some remote server. This can make it easier to edit if you already a file server.

An alternative would be to setup Hashicorp's vault with consul template.
But it can be costly to setup and there is no integration with Rudder.

#3 Updated by Benoît PECCATTE 8 months ago

  • Tracker changed from Question to User story
  • Subject changed from What is the best way to store sensitive data in Rudder ? to Store sensitive data in Rudder
  • Target version set to Ideas (not version specific)

Converting to user story so that we add a feature for this.

Also available in: Atom PDF