HPW保护开发人员存储在Keyvault中的秘密 [英] Hpw to protect secret stored on Keyvault from developers

问题描述

当我们将密钥存储在keyvault上并授予GET访问权限给任何用户时，他们都可以使用secret.secretvaluetext属性查看纯文本值.

解决方案

如果提供给他们"GET"使用权.您必须确保没有将纯文本直接保存在机密中.

您可以执行以下操作-假设纯文本"是您要保护的秘密.您可以使用在同一KV中具有的密钥对它进行加密，然后保存加密的纯文本"作为秘密.

现在，对于您的开发人员，您可以授予他们访问秘密的权限，然后为您的应用程序解密"密码.访问密钥.

您的开发人员可以确保秘密是返回，然后您的应用程序可以进行必要的解密以使用实际值.

When we store secrets on keyvault and give GET access to any user, they are able to see the plain text value using secret.secretvaluetext property. How can we prevent developers to see these secrets in plain text?

解决方案

You can't prevent the developers from reading the value if you give them "GET" access. You have to make sure you are not saving the plain text directly in the secret.

You can do something like this - Assume  "plain text" is the secret you want to secure. You can encrypt it using a key that you have in the same KV and then save that "encrypted plain text"  as a secret. 

Now for your developers you can give them access to the secret and then give your application "decrypt" access to the key. 

Your developers can make sure secret is  coming back and then your application can do the necessary decryption to use the actual value.

这篇关于HPW保护开发人员存储在Keyvault中的秘密的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！