Lockers

The Locker mechanism introduces an innovative and robust approach to securely deliver secrets to VMs. Users can effortlessly create a locker, deposit their secrets within it, and then furnish the locker's token to their VMs. Key security attributes of the locker system include:

  • Temporary and autoclean: Lockers have a limited lifespan and quantity. Upon expiration, lockers are automatically purged, along with all the secrets contained within them.

  • Isolation: Access to the secrets within a locker is exclusively through its associated token, which can solely be used for accessing the locker's secrets—nothing more. This isolation allows users to store tokens in Continuous Integration/Continuous Deployment (CI/CD) pipelines and similar tools, mitigating the risk of exposing personal secrets.

  • Malfeasance detection: The locker mechanism possesses the capability to detect if a token has been compromised and is being misused.

Basic usage

The usage of lockers is very simple: just create a locker (access token required for this operation), then use the returned locker token for usual operations: put some secrets to the locker, listing secrets, getting some secrets from lockers. As the lockers are isolated and non-personal, users can put locker tokens to VMs or CI/CD pipelines, send the locker tokens to other users without risking personal information and secrets.

  • Create a locker: Users can explicitly define the number of uses and time-to-live. If not, the default values will be used. Add --verbose for getting more information at the output.

$ fedcloud secret locker create
hvs.CAESIGXXX

$ fedcloud secret locker create --ttl 24h --num-uses 10 –-verbose
key              value
---------------  -------------------------------------------------------
client_token     hvs.CAESIGXXX        <= This is the token
accessor         o3GXXXXXXXXXXXXX
policies         ['default']
token_policies   ['default']
lease_duration   86400
renewable        False
orphan           False
num_uses         10
  • Using a locker: Add the option --locker-token token and use fedcloud secret put/get/list as normally. No access token is needed.

$ fedcloud secret put mysecret password=123456 --locker-token hvs.CAESIXXX

The locker token may be set as OS environment variable like access token.

$ export FEDCLOUD_LOCKER_TOKEN=hvs.CAESIXXX
$ fedcloud secret get mysecret
  • Checking and destroying lockers: Users can check locker information and destroy it if needed. If not, lockers will be automatically deleted if the number of uses or TTL are expired.

$ fedcloud secret locker check hvs.CAESIXXX
key               value
----------------  -----------------------------------------------------
accessor          qb52XXXXXX
creation_time     1685008416
creation_ttl      86400
...

$ fedcloud secret locker revoke hvs.CAESIXXX