What are some of the common approaches used to store and use secrets so as to not include passwords and userIDs in line in code or data within the Losant platform?
I am currently testing storing USERID and PASSWORD in the GEA container but a function node can still call the GEA to pull the password stored within the container.
I have ideated and experimented using Azure KeyVault or an AWS/GCP equivalent for storing secrets.
Goal: Secure device password/userID within the Losant platform.
Question: What does Losant recommend? What have other customers used to secure device secrets?
THANK YOU
Hey @CyberJMC66!
As of right now, the most common place to store credentials, and the one we generally recommend, is within Application Globals. If the credentials are per-device, then Device Tags are used.
For the cloud, we are releasing a first-class credential storage system very soon. These credentials, once provided, can never be directly viewed or accessed again by any Losant user. They are tied to specific cloud services and can only be used to authenticate against those services. These credentials also have a second layer of encryption within our database. This means even if our backups, which are also encrypted, are ever exposed, the credentials within those backups remain encrypted.
For the edge, things get far more complicated. For the workflow process to access the credentials, they must be stored somewhere. As you’ve noted, if the workflow process can access them in any way, a Function Node will also be able to access them.
We have explored third-party credential storage systems, but a similar problem arises. There must be an access key persisted somewhere to request tokens from the service. A TPM can protect the key from the outside, but the workflow process will eventually require the unencrypted key, so any workflow developer is likely able to obtain it.
The best recommendation we have is to treat anything you store on a physical device as vulnerable. If someone has physical access to your gateway, it’s nearly impossible to completely secure the data stored on that gateway. For this reason, every gateway should have its own access key/secret for authenticating against Losant’s broker and if you’re accessing third-party services directly from the device, each one should have its own token. This way, if (and when) a device is exploited, the person is only able to masquerade as that device and is unable to obtain or impact anything else.
Revisiting this topic now that HTTP Service Credentials are provided.
I solved the security issue by running a “Get Bearer Token” from a sandbox environment, and updating a table within the core application via Losant API. Not the best option but works.
I would like to use a Service Credential
To obtain the bearer token, the following the API call looks like this;
curl --location ‘http://home.domain.com/api/auth/login’
–header ‘Content-Type: application/json’
–data-raw ‘{
“username”: “APIUser”,
“password”: “” ,
“otp”: “”
}’
With this type of API call, is a Service credential usable in the payload of the Post? Am I not looking at the right documentation?
HTTP Service Credentials cannot be used in the body of an HTTP request. They can be used:
- In a header
- In a query parameter
- As HTTP Basic Auth
- As client certificate authentication
It appears as though your use case might not be the intended use case for Service Credentials. As the name implies, Service Credentials are used for service-to-service integrations. In these cases, you typically have a single, long-lived token that is used to access the other service.
Service Credentials are not intended to be used to store user-specific or device-specific credentials.
Brandon, I noticed in the documentation that the credential can be updated, but not retrieved. Right now I am storing bearer token in a table, and retrieving it before each HTTP node. If I can update the credential bearer token, that would be an improvement over what I am doing now. Your link to rest API for Service Credential (singular) has an error in it. Assuming I will find what I need to update the credential there (revised the url manually so the content exists) Credential Actions | Losant Documentation