Status: In development
Timeline: January 2020 - 2021+
There are exposed secrets in the configuration files needed to bootstrap a P-Rep node. This project focuses on protecting those secrets on a variety of backends such as on an eyncrypted keystore, Hashicorp's Vault, and hardware wallets. It will use a plugins based system such that the user can specify which of the following three backends they want to use.
The simplest secret backend is using a local keystore (not the same as a wallet keystore) the but has some drawbacks in that it if the host is compromised, an attacker can attempt to exfiltrate the keys through a variety of methods from brute force to memory sniffing exploits and the like.
2. Hashicorp Vault
Moving up in complexity but also security sits Hashicorp's Vault which is the best in class solution for protecting secrets on the cloud. It uses a policy and identity based system to gain temporary access to a secret. It is the most robust solution for systems that rely on automation or minimal interaction with the secret itself.
3. Hardware Solutions