On-prem credential storage security

For on-prem deployments, quite a few credentials are stored in the ENV file, e.g.
UI_BAKERY_JWT_SECRET=xxx
UI_BAKERY_JWT_SERVICE_ACCOUNT_SECRET=xxx
UI_BAKERY_JWT_REFRESH_SECRET=xxx
UI_BAKERY_CREDENTIALS_SECRET=xxx
UI_BAKERY_PROJECT_PRIVATE_KEY_SECRET=xxx
UI_BAKERY_DB_DATABASE=bakery
UI_BAKERY_DB_USERNAME=bakery
UI_BAKERY_DB_PASSWORD=xxx
UI_BAKERY_MFA_SECRET=xxx
UI_BAKERY_SMTP_USERNAME=xxx
UI_BAKERY_SMTP_PASSWORD=xxx

Can a more secure storage method/integration be made available in addition to this? e.g. to pull all credentials from AWS Secrets, or secure storage of the ENV in an encrypted protected file?

Hi @TheBobbit,

Generally, if there is unauthorized access to the .env file on your server, then there is a whole different problem with security. If you take the appropriate precautions for your server, then there shouldn’t be any issues with security.

I’m not saying that these integrations would be unnecessary or unwanted, just that security on your server should already be on a decent level.

Thanks Max, I totally agree, the issue here is internal auditing standards: “creds stored in plaintext” (irrespective of location, usability/level of exposure, etc.) is hit with a default red flag.

This is a “please help me keep audit happy” request so we can happily deploy UI Bakery all over the place. :smiley:

2 Likes