Conversation

Notices

1. Embed this notice
   🌈 BarbaPulpe 😇 ᴹᵃˢᵗᵒᵈᵒⁿ (barbapulpe@gayfr.social)'s status on Thursday, 14-Mar-2024 20:09:44 JST 🌈 BarbaPulpe 😇 ᴹᵃˢᵗᵒᵈᵒⁿ

   in reply to

   • Daniel Supernault

   @dansup
   Even the S3 portal UI will only show you the secret once (on creation of the API key). Compromising that key leaves all your files open to leakage or deletion, so I'm very cautious in storing it in a redis cache unencrypted.

   • Embed this notice
     🌈 BarbaPulpe 😇 ᴹᵃˢᵗᵒᵈᵒⁿ (barbapulpe@gayfr.social)'s status on Thursday, 14-Mar-2024 20:09:45 JST 🌈 BarbaPulpe 😇 ᴹᵃˢᵗᵒᵈᵒⁿ

     • Daniel Supernault

     @dansup
     Do we actually need the ability to edit S3 keys? This is a very rare task and multiplying the key storage to several locations does not seem good for security, to enable a task which does not require to be done from the UI in my opinion.

   • Embed this notice
     Andy (pixel@desu.social)'s status on Thursday, 14-Mar-2024 20:10:39 JST Andy

     • Daniel Supernault

     @dansup you should have stopped after the first line.

     just having storage credentials in ENV is enough, they never really need to be in the database.

   • Embed this notice
     🌈 BarbaPulpe 😇 ᴹᵃˢᵗᵒᵈᵒⁿ (barbapulpe@gayfr.social)'s status on Thursday, 14-Mar-2024 20:14:26 JST 🌈 BarbaPulpe 😇 ᴹᵃˢᵗᵒᵈᵒⁿ

     • Daniel Supernault

     @dansup
     I'm more worried about an exploit on a user (pixel, www-data) which is in the redis group.