proxmox/docs/04-configuration/SECURITY_AUDIT_REPORT.md

# Security Audit Report - Secrets Management

**Last Updated:** 2026-01-31  
**Document Version:** 1.0  
**Status:** Active Documentation

---

**Date:** 2025-01-27  
**Status:** ✅ Audit Complete  
**Auditor:** Automated Security Scan  
**Scope:** All secrets across `/home/intlc/projects` directory

---

## Executive Summary

A comprehensive security audit was conducted to identify all secrets, assess their current storage methods, and provide recommendations for secure HSM Key Vault migration.

### Key Findings

- **Total Secrets Identified:** 50+ unique secrets
- **Critical Issues:** 6 private keys exposed in files
- **High Priority Issues:** 15 API tokens and passwords
- **Medium Priority Issues:** 20 service keys and configuration secrets
- **Backup Files with Secrets:** 3 files identified and secured

### Risk Assessment

| Risk Level | Count | Description |
|-----------|-------|-------------|
| 🔴 **CRITICAL** | 6 | Private keys exposed in .env files |
| 🟠 **HIGH** | 15 | API tokens, passwords in files/scripts |
| 🟡 **MEDIUM** | 20 | Service keys, JWT secrets |
| 🟢 **LOW** | 10+ | Configuration values, public identifiers |

---

## Detailed Findings

### 🔴 CRITICAL: Private Keys Exposed

**Issue:** Private keys found in multiple `.env` files and documentation

**Locations:**
1. `proxmox/smom-dbis-138/.env` - Deployer private key
2. `no_five/.env` - Private key (same as deployer)
3. `237-combo/.env` - Different private key
4. `loc_az_hci/smom-dbis-138/.env` - Deployer private key
5. `proxmox/smom-dbis-138/services/*/.env` - Multiple service files
6. `docs/06-besu/T1_2_CREDENTIALS_VERIFIED.md` - Documented in markdown

**Risk:**
- Complete compromise of blockchain accounts
- Unauthorized transaction signing
- Financial loss
- Reputation damage

**Recommendation:**
- **IMMEDIATE:** Move all private keys to HSM
- Never export private keys from HSM
- Use HSM for all cryptographic operations
- Rotate keys if exposure is suspected

**Status:** ⚠️ Requires immediate action

---

### 🟠 HIGH: API Tokens and Passwords

#### Cloudflare API Credentials

**Issue:** Multiple Cloudflare API tokens and keys found in files

**Locations:**
- `proxmox/.env` - API key and tunnel token
- `loc_az_hci/.env` - API key
- `loc_az_hci/smom-dbis-138/.env` - API token
- `scripts/fix-certbot-dns-propagation.sh` - Hardcoded token
- `scripts/install-shared-tunnel-token.sh` - Hardcoded tunnel token

**Risk:**
- Unauthorized DNS modifications
- SSL certificate issuance
- Tunnel configuration changes
- Account compromise

**Recommendation:**
- Migrate to Vault immediately
- Use API tokens (not global API key)
- Implement token rotation
- Limit token permissions

**Status:** ⚠️ High priority migration

---

#### NPM (Nginx Proxy Manager) Credentials

**Issue:** Passwords hardcoded in scripts

**Locations:**
- `scripts/create-npmplus-proxy.sh` - Hardcoded password hash
- `scripts/nginx-proxy-manager/update-npmplus-proxy-hosts-api.sh` - Hardcoded password
- `proxmox/.env` - Plain text password

**Risk:**
- Unauthorized proxy configuration
- SSL certificate management
- Domain routing changes

**Recommendation:**
- Move to Vault
- Use API tokens instead of passwords
- Implement password rotation

**Status:** ⚠️ High priority migration

---

#### Database Credentials

**Issue:** Database passwords in connection strings

**Locations:**
- `dbis_core/.env` - DATABASE_URL with embedded password
- `explorer-monorepo/.env` - Database credentials

**Risk:**
- Unauthorized database access
- Data breach
- Data manipulation

**Recommendation:**
- Use Vault database secrets engine
- Implement dynamic credentials
- Separate password from connection string

**Status:** ⚠️ High priority migration

---

### 🟡 MEDIUM: Service Keys and JWT Secrets

**Issue:** Various service API keys and JWT secrets

**Locations:**
- UniFi API keys in documentation
- Omada API keys in .env files
- JWT secrets in templates
- Third-party API keys

**Risk:**
- Service compromise
- Unauthorized API access
- Session hijacking (JWT)

**Recommendation:**
- Migrate to Vault
- Implement key rotation
- Use environment-specific secrets

**Status:** ⚠️ Medium priority migration

---

## Backup Files Security

### Findings

**Backup Files with Secrets:**
1. `smom-dbis-138/.env.backup` - Contains Cloudflare API token
2. `smom-dbis-138/.env.backup.20251225_092319` - Contains private key and API token
3. `loc_az_hci/smom-dbis-138/.env.backup` - Contains API token

**Status:** ✅ Secured
- Files moved to secure location: `~/.secure-secrets-backups/`
- All backup files properly ignored in .gitignore
- Recommendation: Encrypt backups or delete if no longer needed

---

## .gitignore Coverage

### Status: ✅ COMPLETE

**Verification Results:**
- All `.env` files properly ignored
- Backup file patterns in .gitignore
- No secrets at risk of accidental commit

**Coverage:**
- Root `.gitignore` includes `.env` patterns
- Service-specific `.gitignore` files properly configured
- Backup file patterns: `*.env.backup`, `.env.backup.*`

---

## Hardcoded Secrets in Scripts

### Findings

**Scripts with Hardcoded Secrets:**
1. `scripts/create-npmplus-proxy.sh` - NPM password
2. `scripts/fix-certbot-dns-propagation.sh` - Cloudflare token
3. `scripts/install-shared-tunnel-token.sh` - Tunnel token
4. `scripts/obtain-all-ssl-certificates.sh` - Cloudflare token
5. `scripts/configure-all-cloudflare-dns.sh` - Cloudflare token
6. `scripts/test-cloudflare-permissions.sh` - Cloudflare token
7. `scripts/nginx-proxy-manager/*.sh` - NPM credentials

**Risk:**
- Secrets in version control
- Accidental exposure
- Difficult to rotate

**Recommendation:**
- Replace with Vault API calls
- Use environment variables from Vault Agent
- Remove hardcoded values

**Status:** ⚠️ Requires script updates

---

## Secrets in Documentation

### Findings

**Documentation Files with Secrets:**
1. `docs/06-besu/T1_2_CREDENTIALS_VERIFIED.md` - Private key
2. `docs/06-besu/T1_2_CREDENTIALS_STATUS.md` - Private key references
3. `docs/04-configuration/UDM_PRO_API_LIMITATIONS.md` - UniFi API key
4. `docs/04-configuration/NGINX_PROXY_MANAGER_COMPLETE_SETUP.md` - Passwords

**Risk:**
- Public exposure if docs are shared
- Accidental disclosure
- Historical record of secrets

**Recommendation:**
- Replace with placeholders
- Remove actual secret values
- Use `[REDACTED]` for examples
- Document secret locations in secure docs only

**Status:** ⚠️ Requires documentation cleanup

---

## Compliance and Best Practices

### Current State

✅ **Good Practices:**
- .gitignore properly configured
- Backup files identified and secured
- Comprehensive inventory created
- Migration plan documented

⚠️ **Areas for Improvement:**
- Private keys in files (should be in HSM)
- Hardcoded secrets in scripts
- Secrets in documentation
- No centralized secrets management
- No secret rotation procedures

---

## Recommendations

### Immediate Actions (Week 1)

1. **Secure Private Keys**
   - Move all private keys to HSM immediately
   - Never export from HSM
   - Verify no keys in version control

2. **Remove Hardcoded Secrets**
   - Update all scripts to use Vault
   - Remove hardcoded values
   - Test script functionality

3. **Clean Documentation**
   - Replace secrets with placeholders
   - Remove actual values from docs
   - Update examples

### Short-Term (Week 2-4)

1. **HSM Key Vault Setup**
   - Select and configure HSM solution
   - Install HashiCorp Vault
   - Migrate critical secrets

2. **Script Updates**
   - Update all scripts for Vault integration
   - Implement Vault Agent where applicable
   - Test all automation

3. **Access Control**
   - Define Vault policies
   - Implement RBAC
   - Set up audit logging

### Medium-Term (Month 2-3)

1. **Complete Migration**
   - Migrate all secrets to Vault
   - Remove secrets from .env files
   - Update all applications

2. **Secret Rotation**
   - Implement rotation procedures
   - Automate where possible
   - Document rotation schedule

3. **Monitoring**
   - Set up secret access monitoring
   - Alert on unauthorized access
   - Regular security audits

---

## Security Metrics

### Before Migration

- **Secrets in Files:** 50+
- **Hardcoded Secrets:** 10+
- **Secrets in Docs:** 5+
- **Backup Files:** 3
- **Private Keys Exposed:** 6

### Target State (After Migration)

- **Secrets in Files:** 0
- **Hardcoded Secrets:** 0
- **Secrets in Docs:** 0 (placeholders only)
- **Backup Files:** 0 (or encrypted)
- **Private Keys Exposed:** 0 (all in HSM)

---

## Risk Mitigation

### Current Risks

1. **Private Key Exposure**
   - **Mitigation:** Immediate HSM migration
   - **Timeline:** Week 1-2

2. **API Token Compromise**
   - **Mitigation:** Vault migration, token rotation
   - **Timeline:** Week 2-4

3. **Hardcoded Secrets**
   - **Mitigation:** Script updates, Vault integration
   - **Timeline:** Week 3-4

4. **Documentation Exposure**
   - **Mitigation:** Documentation cleanup
   - **Timeline:** Week 1

---

## Compliance Status

### Security Standards

- ✅ **.gitignore Coverage:** Complete
- ⚠️ **Secret Storage:** Needs HSM migration
- ⚠️ **Access Control:** Needs Vault policies
- ⚠️ **Audit Logging:** Needs implementation
- ⚠️ **Secret Rotation:** Needs procedures

### Best Practices

- ✅ Secrets inventory documented
- ✅ Migration plan created
- ⚠️ HSM implementation pending
- ⚠️ Secret rotation pending
- ⚠️ Monitoring pending

---

## Next Steps

1. **Immediate (This Week)**
   - [ ] Review this audit report
   - [ ] Clean up documentation secrets
   - [ ] Begin HSM selection

2. **Short-Term (Week 2-4)**
   - [ ] Set up HSM and Vault
   - [ ] Migrate critical secrets
   - [ ] Update scripts

3. **Medium-Term (Month 2-3)**
   - [ ] Complete migration
   - [ ] Implement rotation
   - [ ] Set up monitoring

---

## Related Documentation

- [Master Secrets Inventory](MASTER_SECRETS_INVENTORY.md)
- [Secrets Migration Summary](SECRETS_MIGRATION_SUMMARY.md)
- [Secrets Quick Reference](SECRETS_QUICK_REFERENCE.md)
- [Secret Usage Patterns](SECRET_USAGE_PATTERNS.md)

---

**Last Updated:** 2025-01-27  
**Status:** ✅ Audit Complete  
**Next Review:** After HSM migration