Skip to content

Latest commit

 

History

History
66 lines (53 loc) · 5.1 KB

threat-modeling.md

File metadata and controls

66 lines (53 loc) · 5.1 KB

Threat Model Analysis for mozilla/sops

Threat: Master Key Compromise (KMS/PGP/etc.)

  • Threat: Master Key Compromise (KMS/PGP/etc.)

    • Description: An attacker gains unauthorized access to the master key used by SOPS (e.g., AWS KMS key, PGP private key, HashiCorp Vault root token). The attacker could use social engineering, exploit a vulnerability in the KMS, or find leaked credentials. They would then use the compromised key to decrypt all secrets encrypted with that key.
    • Impact: Complete loss of confidentiality for all secrets managed by the compromised key. The attacker gains access to all sensitive data protected by SOPS. This could lead to data breaches, system compromise, and significant reputational damage.
    • Affected SOPS Component: Key Management Integration (interaction with external KMS, PGP, or Vault). The core decryption logic of SOPS is affected, as it relies on the integrity of the master key.
    • Risk Severity: Critical
    • Mitigation Strategies:
      • Strict Access Control: Implement the principle of least privilege.
      • Key Rotation: Regularly rotate master keys.
      • Auditing and Monitoring: Enable detailed logging and monitoring.
      • HSM Usage: Use Hardware Security Modules (HSMs) where possible.
      • Strong Authentication: Use multi-factor authentication (MFA).
      • Secure Storage (PGP): Securely store PGP private keys, ideally on a hardware token, with a strong passphrase.
      • Vault Best Practices: Follow Vault's security model and best practices.

Threat: Unauthorized KMS Access

  • Threat: Unauthorized KMS Access

    • Description: An attacker gains unauthorized access to the Key Management Service (e.g., AWS KMS, GCP KMS) itself, without directly obtaining the master key material. They might exploit a misconfiguration, a vulnerability in the KMS, or compromised credentials. The attacker could then use the KMS API to decrypt secrets.
    • Impact: Loss of confidentiality for secrets managed by the affected KMS.
    • Affected SOPS Component: KMS Integration (specifically, the interaction with the KMS API).
    • Risk Severity: Critical
    • Mitigation Strategies:
      • Strong KMS Authentication/Authorization: Implement robust authentication and authorization, using IAM with least privilege.
      • Network Security: Use network controls (VPCs, firewalls) to restrict access.
      • KMS Logging and Monitoring: Enable detailed logging and monitoring.
      • Regular Audits: Regularly review KMS access permissions.

Threat: Incorrect .sops.yaml Configuration

  • Threat: Incorrect .sops.yaml Configuration

    • Description: The .sops.yaml file contains errors, such as incorrect key IDs, file paths, or misconfigured regex. An attacker might intentionally introduce errors, or they could be accidental.
    • Impact:
      • Loss of Availability: If decryption fails, the application cannot access secrets.
      • Loss of Confidentiality: If the wrong key can decrypt, an attacker gains unauthorized access.
      • Incorrect Encryption: Files might be encrypted with the wrong key.
    • Affected SOPS Component: Configuration (.sops.yaml parsing and application).
    • Risk Severity: High
    • Mitigation Strategies:
      • Configuration Validation: Use a schema validator for .sops.yaml.
      • Code Review: Implement code review for .sops.yaml changes.
      • Testing: Thoroughly test the .sops.yaml configuration.
      • Version Control: Use version control for .sops.yaml.
      • Least Privilege in Key Hierarchy: Design the key hierarchy with least privilege.

Threat: Exposure of Master Keys in CI/CD

  • Threat: Exposure of Master Keys in CI/CD

    • Description: Master keys used by SOPS are exposed within the CI/CD pipeline environment (e.g., as plaintext environment variables). An attacker compromising the CI/CD system could obtain the keys.
    • Impact: Complete loss of confidentiality for all secrets managed by the compromised key.
    • Affected SOPS Component: Key Management Integration (within the CI/CD context). This is how SOPS interacts with the key management system via the CI/CD pipeline.
    • Risk Severity: Critical
    • Mitigation Strategies:
      • CI/CD Secrets Management: Use the CI/CD platform's built-in secrets management.
      • Avoid Plaintext Keys: Never store master keys directly in CI/CD configuration.
      • Short-Lived Credentials: Use short-lived credentials or service accounts with limited permissions.
      • Auditing and Monitoring: Enable logging and monitoring for the CI/CD pipeline.
      • Least Privilege: Grant the CI/CD pipeline only minimum necessary permissions.