Visible private key or sensitive file

Private keys such as SSH pem, p12 and private certificates are one source of proving, issuing and validating identities. As such, they should be kept safely and securely, and even more so, in a specialized store.

Other files such as ZSH history, DB manager apps, FTP app configuration, and more store your sensitive information such as hosts, passwords and keys as configuration.

More over, these files should be encrypted and set with the correct permission (if applicable) for securing and monitoring access.

Problem

We have found a visible private key, app configuration file, history file, stored plainly, in code, infrastructure, or configuration repository.

Fix

Delete and remove temporary configuration files, misplaced configuration files, and finally apply the following best practices if relevant:

Infrastructure

  1. Use a cloud-native secret store, such as AWS Secrets Manager
  2. Use a dedicated vault product, such as:
    1. CyberArk Vault
    2. Hashicorp Vault

Architecture

  1. Prefer a 12-factor architecture
  2. Use secret-loading libraries like .env for your specific tech stack

See