Hacker News new | ask | show | jobs
Ask HN: Is a file with both public and secret content a secret or not?
2 points by iamAy0 1734 days ago
This question showed up while debating whether a configuration file with public application settings and secret values should be stored in Hashicorp's Vault as a secret.
4 comments
LinuxBender 1734 days ago
A file that would contain a secret should have the secret attributes parameterized and the attribute modified on deployment using Hashicorp Vault, otherwise the entire file would have to be stored in Vault meaning the entire file is a secret. This is a common pattern with Ansible, Chef, Puppet and other configuration management tools that integrate with Vault. Docker also has integrations with Vault and can replace attribute placeholders with their secret contents on deployment of containers. All of the aforementioned platforms have how-to's explaining how to correctly integrate with Vault.
link
smt88 1734 days ago
The secrets are secret. Store them securely.

If storing the secrets securely doesn't cause the public settings to be inaccessible where/when they're needed, then you have nothing else to do.

Separate the secret and non-secret data. Don't even use files, just let each item be its own individual value with its own key and permissions.

Also, it doesn't sound like anyone debating this is experienced enough to be making security decisions, even very basic ones.

link
iamAy0 1734 days ago
we aren't here discussing about whether the used pattern is correct or not, it's clearly not. But that's not the scope of the question.
link
smt88 1734 days ago
Then the file is secret. It's a nonsensical argument.

It's like saying, "If I put military secrets and my grocery list in a locked briefcase, is the briefcase a secret?"

First: yes, of course it is. Second: the secrets are not inherently tied together forever. You can separate them.

link
gjvc 1734 days ago
https://en.wikipedia.org/wiki/Steganography
link
iamAy0 1734 days ago
Steganography is about hiding information within other information, but I don't really see what's the point you are trying to make here. Could you elaborate?
link
PaulHoule 1734 days ago
If any of it is secret then the whole thing is secret, isn’t it? The only way around that is to break it into multiple parts.
link
iamAy0 1734 days ago
exactly my point of view.
link