Secrets - Encrypt/Decrypt functionality

[jifox]

I took a closer look at the new Secrets Functionality.

In my opinion there should be a general functionality within Nautobot that allows encryption and decryption in a standard way.

This could be used to store sensitive information like e.g. access-credentials for an external password-safe like Thycotic Secret-Server in Nautobot.

It would be nice to have forms.fields for text and password data that utilizes this en-/decryption functionality automatically.

To be most flexible with defining the encryption key, i'll suggest to use a environment variable that will point to an existing file that keeps the actual encryption key or if the file does not exist using the value as encryption key
My suggestion will be to define an environment variable NAUTOBOT_SECRETS_ENCRYPTION_KEY_OR_FILENAME that:

• Points to a file where the key is stored (if file exists)
• contains the encryption key i(f defined and file not exists)
• could be initialized with NAUTOBOT_SECRET_KEY if not defined.

This will allow to:

• mount the key-file using docker-compose volumes:
• Using docker swarm secrets (that will be automatically mounted as files)
• Specifying the key as environment variable (12 factor app)

The implementation could utilize aes512 encryption libraries like pycryptodomex.

Whats your thoughts?

[glennmatthews]

Thanks for starting the discussion!

Broadly speaking, a major factor in the design of the current Secrets functionality (#868) was to avoid storing any sensitive/encrypted data in Nautobot itself. Our storage of encrypted Git tokens using django-cryptography has been a recurrent source of bugs and usability issues, and last I looked there weren't any better off-the-shelf solutions for storing encrypted data in Django (happy to be proven wrong on this point, though!).

As a counterpart to the existing secrets "read" functionality (generic API for retrieving an existing stored value from Hashicorp Vault, AWS Secrets Manager, etc.), we considered a corresponding "write" feature (generic API for creating/updating a stored value in any given backend) but felt, at least for now, that definition and management of secrets should be done in the actual system responsible for storing them, rather than being proxied through Nautobot.

[jifox]

You're right, Secrets should be managed outside of Nautobot (Hashicorp Vault etc.) But you'll need to store the credentials to access this Secret Servers somehow.

Of course everyone could implement the aes512 encryption/decryption by himself but having a standard functionality provided within Nautobot, will ease the development and avoid implementation errors.

What are your suggestions how manage multiple credentials to access a secret provider (like Hashicorp vault - for testing, Thycotic on-prem for production, ...) in a relatively secure manner?