secret management in on premise application

Question

The .net core server code I'm working on is going to be hosted both in cloud infrastructure and on premises.

There are many options to handle secret management (connection strings etc...):

Big cloud providers are offering dedicated secret management solutions (AWS KMS, Azure Key Vault, etc..).
Popular orchestrators, offer also their own service (Kubernetes Secrets for example)
In development, we have dedicated secret management tools & process (which are nice)

But how can I store securely secrets on premise hosting? I doubt setting it as a simple variable environment is considered as safe?

1

https://www.vaultproject.io/ – root Dec 06 '20 at 06:35

score 1 · Answer 1 · answered Dec 01 '20 at 19:21

1

In the On Prem setup you need to transfer the RISK to the customer who should ensure that the Master Key in this case let's say that you go for Option #3 in which case the access to the Server should be actively controlled , monitored and should be heavily restricted.

So the onus of security is to prevent any un-authorized person from getting a login access to the Server and your configuration stays secured

answered Dec 01 '20 at 19:21

Soumen Mukherjee

2,953
3
22
34

1

Yes, but option#3 (VS secret manager) is normaly designed for dev only (as stated by documentation). Furthermore this is not very handy for secret update (compared to options #1 & #2) – chrisdot Dec 08 '20 at 15:44

score 0 · Answer 2 · answered Dec 16 '20 at 15:50

0

If your on-prem resources have internet access, I would recommend a Key Vault using client certificate authentication and IP restrictions. If you need more security, you can also use VPN.

answered Dec 16 '20 at 15:50

Matt Small

2,182
1
10
16

secret management in on premise application

2 Answers2

Linked