The safest password is the one you don't know
This could sound strange, but it's reality. Today's systems are all interconnected, for every service we need credentials. How to save this sensitive data in an online application, without risking being discovered?
The solution is simple - not knowing them. Or at least not knowing them all the time.
Every online application produces data that must be saved somewhere, usually in a database. So why not save the credentials along with the data? What might seem to be an easy solution, might turn out to be a risky one if somehow the database is compromised. In this situation an attacker would have both the data and the credentials.
So why not save the credentials in an encrypted way? Because it prevents automated tasks since the data cannot be accessed without the decryption key.
So how can this dilemma be solved? By relying on systems designed exclusively for this purpose, such as Hashicorp Vault. In recent updates we have prando business linked to Vault to securely save external API credentials.
In this case how are the credentials for Vault saved? Aren't we back to square one? No, using Vault's AppRole authentication system. The system is as simple as it is ingenious. One part of the credentials is built directly into the Rails application using Rails credential storage. The second part is generated when you configure the Nomad Job, just before launching the application. This second part of the credentials is only valid for a few minutes and only for certain uses. When started, the application uses the two credentials to connect to the Vault, which confirms the authentication with a security token. From this moment on, all connections are made with this Token known only to the application and only while the process is active.
At the next startup? The Token is "forgotten".
As we said, the safest password is the one you don't know.