Credentials management within CI/CD environment

I'll talk about secrets instead of credentials, as there might be other sensitive information you'd like to protect. It doesn't matter that your question is worded specifically towards CI/CD systems, the issue is the same whether we're talking about using X.509 certificates for authentication, saving database credentials, or protecting an access token for a build agent.

There's no canonical way to handle this, as application and organizations' needs differ on what constitutes secrets and how to handle them. Some applications might offer no other way to store secrets than in a file.

Some applications encrypt secrets on disk, but as they often have to be symmetric that is more or less decorative.

So, what can you do?

  • Your first line of defense is your operating system's DAC (discretionary access control) and MAC (mandatory access control) - if we're talking Linux, POSIX permissions are DAC and LSMs like App Armor, SELinux or GRSecurity are MAC.

  • Auditing your OS to proper standards like CIS or DISA STIG.

  • Using a HSM or OpenPGP smartcard to store the PGP key you use to encrypt the secrets on disk springs to mind. Devices like these guarantee that the key never leaves the hardware.

Keep in mind that no single measure keeps the keys in a HSM secure - physical access can still compromise them. Hardware key storage devices must be combined with physical security and proper operational procedures to enforce their security.

Check the major browser's root CA policies (Chrome, Firefox, Edge/IE). They enforce the usage of hardware crypto devices and several restrictions and rules on how to operate them and what audits you have to pass.

  • Using a software like Vault to get the secret on-demand, but that needs application support. Otherwise you are just storing it on disk again. What Vault can add to the mix though is an enforcable TTL for secrets and the ability to rotate them on its own.