Secure the local secrets engine socket #263
Description
The secrets engine creates a socket / pipe for its API. Clients can query the secrets engine through the socket/pipe, but unfortunately it's not secure.
To understand the problem, let's break it up into two parts:
- The connection between the client and the server is not encrypted, meaning anyone can listen in.
- Any application can connect to the secrets engine socket, there is no policy management on the socket itself.
We need to accommodate both use cases (to some extent). It might not be feasible to have a completely locked down socket, but precautions could be taken to provide as much security as possible.
Limitations:
- Linux / Windows do not scope their keychain secrets to a policy (e.g. only accessible by these application groups)
- The deployment environment might not follow security best practices (e.g. no password on login etc.)
- Untrusted applications are run as root
- The underlying store has a weak encryption or key (which we might not have control over).
- More security means clients need to become smarter, simple curl requests might not work anymore.