Skip to content

Credential encryption key stored as plaintext env var without rotation #267

Description

@vybe

CSO Audit Finding #3 — 2026-04-05

Severity: HIGH | Confidence: 8/10 | Status: VERIFIED
Category: Secrets Management (A02 — Cryptographic Failures)
Phase: P5 — Infrastructure Shadow Surface

Description

The AES-256-GCM encryption key used for all .credentials.enc files is passed as a plaintext environment variable (CREDENTIAL_ENCRYPTION_KEY) in docker-compose.yml. This key encrypts/decrypts credentials for ALL agents on the platform.

Issues:

  1. Visible in docker inspect output
  2. Visible in process listings (/proc/*/environ)
  3. No key rotation mechanism exists
  4. Single key for all agents — if compromised, all encrypted credentials are exposed

Exploit Scenario

Attacker with read access to any backend container process listing (e.g., via container escape or compromised monitoring agent) extracts CREDENTIAL_ENCRYPTION_KEY → decrypts all agent .credentials.enc backup files.

Remediation

Short-term:

  • Document key rotation procedure (generate new key, re-encrypt all .credentials.enc files)
  • Restrict container process environment visibility

Medium-term:

  • Migrate to Docker secrets (Swarm mode) or external secret manager (HashiCorp Vault, AWS Secrets Manager)
  • Consider per-agent encryption keys derived from a master key

Estimated effort: 1-2 days

References

  • CSO report: docs/security-reports/cso-2026-04-05.md
  • Prior finding: C-001 in docs/security-reports/security-analysis-2026-03-09.md (related — API exposure was fixed, but storage concern remains)

Metadata

Metadata

Assignees

Labels

complexity-lowComplexity: low (board points 1-3)priority-p1Critical pathsecuritySecurity vulnerabilityseverity-highHigh severity security findingstatus-in-devMerged to dev, awaiting release cut to maintheme-securityTheme: Securitytype-featureNew functionality

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions