Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Storing secrets and credentials securely in GitLab

I am wondering if it's possible to store credentials like passwords, tokens and keys safely in my GitLab project.

Currently there are a bunch of Java files with some passwords stored in it for testing purposes. However, I don't want to push this information on my repo due to security reasons. I tried using environment variables in the project, but they only seem to work for the .gitlab-ci.yml file.

My question is does anyone use a vault like Hashicorps or Blackbox to encrypt sensitive information?

Thanks

like image 280
user12118362 Avatar asked Dec 13 '19 10:12

user12118362


People also ask

How does GitLab manage secrets?

Manage secrets through HashiCorp Vault and GitLab CI GitLab CI/CD integrates with HashiCorp Vault to support advanced secrets management use cases. You can combine the K8S_SECRET_ prefixed use case even with Vault-based secrets, and have the secrets applied automatically.

Where are GitLab passwords stored?

GitLab stores user passwords in a hashed format to prevent passwords from being stored as plain text. GitLab uses the Devise authentication library to hash user passwords. Created password hashes have these attributes: Hashing: The bcrypt hashing function is used to generate the hash of the provided password.

Is it safe to store passwords in github?

The mistake that many programmers (even experienced ones) make is to store secrets together with their code, checking them into source control (like Git). This is certainly the easiest, most convenient way to deal with the problem, but it's a rather bad idea. In short, don't store your secrets in Git!

How can you avoid storing secrets in the source code?

To avoid doing that, you can use the Secret Manager. The Secret Manager tool stores sensitive data in a JSON file under %appdata% , so you are sure to not commit them. It works the same as the appsettings. json file at the root of your project.


1 Answers

You can check out GitLab 12.9 (March 2020) which comes with:

HashiCorp Vault GitLab CI/CD Managed Application

GitLab wants to make it easy for users to have modern secrets management. We are now offering users the ability to install Vault within a Kubernetes cluster as part of the GitLab CI managed application process.

This will support the secure management of keys, tokens, and other secrets at the project level in a Helm chart installation.

See documentation and issue.


See also GitLab 13.4 (September 2020)

For Premium/Silver only:

Use HashiCorp Vault secrets in CI jobs

In GitLab 12.10, GitLab introduced functionality for GitLab Runner to fetch and inject secrets into CI jobs. GitLab is now expanding the JWT Vault Authentication method by building a new secrets syntax in the .gitlab-ci.yml file. This makes it easier for you to configure and use HashiCorp Vault with GitLab.

https://about.gitlab.com/images/13_4/vault_ci.png -- Use HashiCorp Vault secrets in CI jobs

See Documentation and Issue.

like image 85
VonC Avatar answered Jan 04 '23 05:01

VonC