# Security Audit Report - Secrets Management **Last Updated:** 2026-01-31 **Document Version:** 1.0 **Status:** Active Documentation --- **Date:** 2025-01-27 **Status:** ✅ Audit Complete **Auditor:** Automated Security Scan **Scope:** All secrets across `/home/intlc/projects` directory --- ## Executive Summary A comprehensive security audit was conducted to identify all secrets, assess their current storage methods, and provide recommendations for secure HSM Key Vault migration. ### Key Findings - **Total Secrets Identified:** 50+ unique secrets - **Critical Issues:** 6 private keys exposed in files - **High Priority Issues:** 15 API tokens and passwords - **Medium Priority Issues:** 20 service keys and configuration secrets - **Backup Files with Secrets:** 3 files identified and secured ### Risk Assessment | Risk Level | Count | Description | |-----------|-------|-------------| | 🔴 **CRITICAL** | 6 | Private keys exposed in .env files | | 🟠 **HIGH** | 15 | API tokens, passwords in files/scripts | | 🟡 **MEDIUM** | 20 | Service keys, JWT secrets | | 🟢 **LOW** | 10+ | Configuration values, public identifiers | --- ## Detailed Findings ### 🔴 CRITICAL: Private Keys Exposed **Issue:** Private keys found in multiple `.env` files and documentation **Locations:** 1. `proxmox/smom-dbis-138/.env` - Deployer private key 2. `no_five/.env` - Private key (same as deployer) 3. `237-combo/.env` - Different private key 4. `loc_az_hci/smom-dbis-138/.env` - Deployer private key 5. `proxmox/smom-dbis-138/services/*/.env` - Multiple service files 6. `docs/06-besu/T1_2_CREDENTIALS_VERIFIED.md` - Documented in markdown **Risk:** - Complete compromise of blockchain accounts - Unauthorized transaction signing - Financial loss - Reputation damage **Recommendation:** - **IMMEDIATE:** Move all private keys to HSM - Never export private keys from HSM - Use HSM for all cryptographic operations - Rotate keys if exposure is suspected **Status:** ⚠️ Requires immediate action --- ### 🟠 HIGH: API Tokens and Passwords #### Cloudflare API Credentials **Issue:** Multiple Cloudflare API tokens and keys found in files **Locations:** - `proxmox/.env` - API key and tunnel token - `loc_az_hci/.env` - API key - `loc_az_hci/smom-dbis-138/.env` - API token - `scripts/fix-certbot-dns-propagation.sh` - Hardcoded token - `scripts/install-shared-tunnel-token.sh` - Hardcoded tunnel token **Risk:** - Unauthorized DNS modifications - SSL certificate issuance - Tunnel configuration changes - Account compromise **Recommendation:** - Migrate to Vault immediately - Use API tokens (not global API key) - Implement token rotation - Limit token permissions **Status:** ⚠️ High priority migration --- #### NPM (Nginx Proxy Manager) Credentials **Issue:** Passwords hardcoded in scripts **Locations:** - `scripts/create-npmplus-proxy.sh` - Hardcoded password hash - `scripts/nginx-proxy-manager/update-npmplus-proxy-hosts-api.sh` - Hardcoded password - `proxmox/.env` - Plain text password **Risk:** - Unauthorized proxy configuration - SSL certificate management - Domain routing changes **Recommendation:** - Move to Vault - Use API tokens instead of passwords - Implement password rotation **Status:** ⚠️ High priority migration --- #### Database Credentials **Issue:** Database passwords in connection strings **Locations:** - `dbis_core/.env` - DATABASE_URL with embedded password - `explorer-monorepo/.env` - Database credentials **Risk:** - Unauthorized database access - Data breach - Data manipulation **Recommendation:** - Use Vault database secrets engine - Implement dynamic credentials - Separate password from connection string **Status:** ⚠️ High priority migration --- ### 🟡 MEDIUM: Service Keys and JWT Secrets **Issue:** Various service API keys and JWT secrets **Locations:** - UniFi API keys in documentation - Omada API keys in .env files - JWT secrets in templates - Third-party API keys **Risk:** - Service compromise - Unauthorized API access - Session hijacking (JWT) **Recommendation:** - Migrate to Vault - Implement key rotation - Use environment-specific secrets **Status:** ⚠️ Medium priority migration --- ## Backup Files Security ### Findings **Backup Files with Secrets:** 1. `smom-dbis-138/.env.backup` - Contains Cloudflare API token 2. `smom-dbis-138/.env.backup.20251225_092319` - Contains private key and API token 3. `loc_az_hci/smom-dbis-138/.env.backup` - Contains API token **Status:** ✅ Secured - Files moved to secure location: `~/.secure-secrets-backups/` - All backup files properly ignored in .gitignore - Recommendation: Encrypt backups or delete if no longer needed --- ## .gitignore Coverage ### Status: ✅ COMPLETE **Verification Results:** - All `.env` files properly ignored - Backup file patterns in .gitignore - No secrets at risk of accidental commit **Coverage:** - Root `.gitignore` includes `.env` patterns - Service-specific `.gitignore` files properly configured - Backup file patterns: `*.env.backup`, `.env.backup.*` --- ## Hardcoded Secrets in Scripts ### Findings **Scripts with Hardcoded Secrets:** 1. `scripts/create-npmplus-proxy.sh` - NPM password 2. `scripts/fix-certbot-dns-propagation.sh` - Cloudflare token 3. `scripts/install-shared-tunnel-token.sh` - Tunnel token 4. `scripts/obtain-all-ssl-certificates.sh` - Cloudflare token 5. `scripts/configure-all-cloudflare-dns.sh` - Cloudflare token 6. `scripts/test-cloudflare-permissions.sh` - Cloudflare token 7. `scripts/nginx-proxy-manager/*.sh` - NPM credentials **Risk:** - Secrets in version control - Accidental exposure - Difficult to rotate **Recommendation:** - Replace with Vault API calls - Use environment variables from Vault Agent - Remove hardcoded values **Status:** ⚠️ Requires script updates --- ## Secrets in Documentation ### Findings **Documentation Files with Secrets:** 1. `docs/06-besu/T1_2_CREDENTIALS_VERIFIED.md` - Private key 2. `docs/06-besu/T1_2_CREDENTIALS_STATUS.md` - Private key references 3. `docs/04-configuration/UDM_PRO_API_LIMITATIONS.md` - UniFi API key 4. `docs/04-configuration/NGINX_PROXY_MANAGER_COMPLETE_SETUP.md` - Passwords **Risk:** - Public exposure if docs are shared - Accidental disclosure - Historical record of secrets **Recommendation:** - Replace with placeholders - Remove actual secret values - Use `[REDACTED]` for examples - Document secret locations in secure docs only **Status:** ⚠️ Requires documentation cleanup --- ## Compliance and Best Practices ### Current State ✅ **Good Practices:** - .gitignore properly configured - Backup files identified and secured - Comprehensive inventory created - Migration plan documented ⚠️ **Areas for Improvement:** - Private keys in files (should be in HSM) - Hardcoded secrets in scripts - Secrets in documentation - No centralized secrets management - No secret rotation procedures --- ## Recommendations ### Immediate Actions (Week 1) 1. **Secure Private Keys** - Move all private keys to HSM immediately - Never export from HSM - Verify no keys in version control 2. **Remove Hardcoded Secrets** - Update all scripts to use Vault - Remove hardcoded values - Test script functionality 3. **Clean Documentation** - Replace secrets with placeholders - Remove actual values from docs - Update examples ### Short-Term (Week 2-4) 1. **HSM Key Vault Setup** - Select and configure HSM solution - Install HashiCorp Vault - Migrate critical secrets 2. **Script Updates** - Update all scripts for Vault integration - Implement Vault Agent where applicable - Test all automation 3. **Access Control** - Define Vault policies - Implement RBAC - Set up audit logging ### Medium-Term (Month 2-3) 1. **Complete Migration** - Migrate all secrets to Vault - Remove secrets from .env files - Update all applications 2. **Secret Rotation** - Implement rotation procedures - Automate where possible - Document rotation schedule 3. **Monitoring** - Set up secret access monitoring - Alert on unauthorized access - Regular security audits --- ## Security Metrics ### Before Migration - **Secrets in Files:** 50+ - **Hardcoded Secrets:** 10+ - **Secrets in Docs:** 5+ - **Backup Files:** 3 - **Private Keys Exposed:** 6 ### Target State (After Migration) - **Secrets in Files:** 0 - **Hardcoded Secrets:** 0 - **Secrets in Docs:** 0 (placeholders only) - **Backup Files:** 0 (or encrypted) - **Private Keys Exposed:** 0 (all in HSM) --- ## Risk Mitigation ### Current Risks 1. **Private Key Exposure** - **Mitigation:** Immediate HSM migration - **Timeline:** Week 1-2 2. **API Token Compromise** - **Mitigation:** Vault migration, token rotation - **Timeline:** Week 2-4 3. **Hardcoded Secrets** - **Mitigation:** Script updates, Vault integration - **Timeline:** Week 3-4 4. **Documentation Exposure** - **Mitigation:** Documentation cleanup - **Timeline:** Week 1 --- ## Compliance Status ### Security Standards - ✅ **.gitignore Coverage:** Complete - ⚠️ **Secret Storage:** Needs HSM migration - ⚠️ **Access Control:** Needs Vault policies - ⚠️ **Audit Logging:** Needs implementation - ⚠️ **Secret Rotation:** Needs procedures ### Best Practices - ✅ Secrets inventory documented - ✅ Migration plan created - ⚠️ HSM implementation pending - ⚠️ Secret rotation pending - ⚠️ Monitoring pending --- ## Next Steps 1. **Immediate (This Week)** - [ ] Review this audit report - [ ] Clean up documentation secrets - [ ] Begin HSM selection 2. **Short-Term (Week 2-4)** - [ ] Set up HSM and Vault - [ ] Migrate critical secrets - [ ] Update scripts 3. **Medium-Term (Month 2-3)** - [ ] Complete migration - [ ] Implement rotation - [ ] Set up monitoring --- ## Related Documentation - [Master Secrets Inventory](MASTER_SECRETS_INVENTORY.md) - [Secrets Migration Summary](SECRETS_MIGRATION_SUMMARY.md) - [Secrets Quick Reference](SECRETS_QUICK_REFERENCE.md) - [Secret Usage Patterns](SECRET_USAGE_PATTERNS.md) --- **Last Updated:** 2025-01-27 **Status:** ✅ Audit Complete **Next Review:** After HSM migration