Gaia, when first started will create a signed certificate in a location
defined by the user under gaia.Cfg.CAPath
which can be set by the runtime flag
-capath=/etc/gaia/cert
for example. It is recommended that the certificate
is kept separate from the main Gaia work folder and in a secure location.
This certificate is used in two places. First, in the communication between the admin portal and the back-end. Second, by the Vault.
The Vault is a secure storage for secret values like, password, tokens and other things that the user would like to pass securly into a Pipeline. The Vault is encrypted using AES cipher technology where the key is derived from the above certificate and the IV is included in the encrypted content.
The Vault file's location can be configured through the runtime variable called
VaultPath
. For maximum security it is recommended that this file is kept on an
encrypted, mounted drive. In case there is a breach the drive can be quickly removed
and the file deleted, thus rotating all of the secrets at once, under Gaia.
To create an encrypted MacOSX image follow this guide: Encrypted Secure Disk Image on Mac.
To create an encrypted disk on Linux follow this guide: Encrypted Disk Image on Linux.
The admin will never see the secure values, not when editing, not when adding and not when looking at the list of secrets. Only the Key names are displayed at all times.
It's possible to Add, Delete, Update and List secrets in the system.