Configure secrets management
A secret is sensitive data that need to be encrypted and optionally decrypted. Passwords, tokens, or keys to access resources such as databases and identity providers, for instance, are examples of a secret. Semarchy xDM stores secrets in its configuration and allows you to configure secrets management and encryption.
Overview
There are two main types of secrets used in Semarchy xDM: Hashed Secrets and Encrypted Secrets.
Hashed secrets
Hashed secrets are stored in Semarchy xDM and cannot be decrypted (Hashing is a one-way encryption mechanism). For example, for passwords, Semarchy hashes the password that a user enters, then matches it with the stored hashed values without decrypting it.
Hashed secrets are created, managed, and stored in Semarchy xDM.
Hashed secrets include the API keys and the passwords of the users defined for the Internal Identity Provider.
Encrypted secrets
Encrypted secrets are stored encrypted. They are decrypted when Semarchy xDM needs to use them. They may be:
-
Stored encrypted in Semarchy xDM.
-
Internally stored secrets are created and managed in Semarchy xDM.
-
They are encrypted with a Key Management Service (KMS), using for example a key local to the Semarchy server or a third-party system such as AWS Key Manager Service, Azure Key Vault or Google Cloud Key Management.
-
-
Stored encrypted in a third-party Secrets Manager (for example as AWS Secrets Manager, Azure Key Vault, or Google Cloud Secret Manager) and referenced in Semarchy.
-
Externally stored secrets are not managed in Semarchy xDM. They are created or updated in the third-party Secrets Manager (for example, in the AWS Secrets Manager user interface).
-
These secrets are retrieved from the secrets manager when needed. You only define in Semarchy the reference to that secret location, but not the secret itself.
-
Encrypted secrets in Semarchy xDM include:
-
Credentials for Notification Servers.
-
Credentials to connect to non-repository Datasources.
-
Credentials and encryption keys to authenticate to and encrypt exchanges with Identity Providers.
Configuring secrets management
Hashed secrets
You cannot configure the encryption of the hashed secrets. They use predefined hashing algorithms:
-
API keys are hashed using the SHA-256 algorithm, which provides the best balance between security and performance.
-
The passwords of the users defined for the Internal Identity Provider are hashed using the Bcrypt algorithm, according to the OWASP recommendations.
Encrypted secrets
Semarchy xDM comes with a default KMS for encrypting secrets, labelled Insecure. This KMS provides encryption capabilities at installation time using a default built-in key. You can configure stronger encryption in your environments.
For the encrypted secrets, you can configure:
-
Key Management Services (KMS) to encrypt and decrypt the secrets stored in Semarchy xDM.
-
External Secrets Managers to store secrets. These secrets are referenced from Semarchy xDM.