Google Cloud Secrets key management
The MySQL password, Firebase database admin token, SMTP password, server salt, SSL certificate password, and the AES key, can be stored securely in the Google Cloud without exposing them to attackers by storing them in plain-text within the configuration file. This is the recommended way of setting up and storing the passwords and keys within this server application.
Create a Google Cloud account, navigate to the console, and create a project.
Afterwards, go in the API section and enable the Google Secrets API
The configurations are loaded into the application at start-up. Any configuration updated or inserted into the configuration file requires the application to be restarted to be processed by the application.
In order for the server application to connect and extract values from the Google Secret manager API, the authentication must be set up with OAuth and the default application must be selected.
# Update the apt repository packages
sudo apt update
# Install HTTPS, SSL, and API request packages
sudo apt-get install apt-transport-https ca-certificates gnupg curl
# Install the Google Cloud console public key
curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo gpg --dearmor -o /usr/share/keyrings/cloud.google.gpg
# Unpack the Google Cloud public key console archive, add it to the environment variables, and install its distribution
echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages.cloud.google.com/apt cloud-sdk main" | sudo tee -a /etc/apt/sources.list.d/google-cloud-sdk.list
# Install the Google Cloud console CLI
sudo apt-get update && sudo apt-get install google-cloud-cli
# Install the Google Cloud CLI installer
(New-Object Net.WebClient).DownloadFile("https://dl.google.com/dl/cloudsdk/channels/rapid/GoogleCloudSDKInstaller.exe", "$env:Temp\GoogleCloudSDKInstaller.exe")
& $env:Temp\GoogleCloudSDKInstaller.exe
After the download is completed, run the CLI installer to install the Google Cloud CLI on your system.
# Initialise the Google Cloud Console
gcloud init
gcloud auth application-default login
Initialise the application and set up the credentials to be used by the Google Secret Manager default configuration for the server application to be able to extract secrets with the Google Secrets manager API.
By enabling the Google Secrets manager in the server's configuration file all the passwords and keys will be extracted from the Google Secret manager API, and all the passwords and keys (if any) stored in the configuration file will be ignored. To enable/disable secure secret management modify the field shown bellow in the server configuration file accordingly.
"use_google_secrets": false,
...
Create a secret and either copy and paste the contents of the aes_key.json file or upload the file to be used as the secret's value
Either delete the aes_key.json file or move it on the cloud to ensure attackers do not have access to the file encryption key.
Add the Google Secret URL by modifying the field below within the server configuration file.
"aes_encryption_key_secret_url": "!!! REPLACE WITH SECRET URL !!!",
Add the Google Secret version by modifying the field below within the server configuration file. Secret versions are values associated with the secret. Each time you upload a value within the secret manager, the new value is marked with a version that is the value of the previous version +1.
"aes_encryption_key_version": "1",
Create a secret and use a random string as its value to be used as the salt.
Ensure that the field displayed below does not contain the secret value to prevent attackers from gaining access to it.
"smtp_password": "",
Add the Google Secret URL by modifying the field below within the server configuration file.
"smtp_password_secret_url": "!!! REPLACE WITH SECRET URL !!!",
Add the Google Secret version by modifying the field below within the server configuration file. Secret versions are values associated with the secret. Each time you upload a value within the secret manager, the new value is marked with a version that is the value of the previous version +1.
"smtp_password_secret_version": "1",
Create a secret and use the Firebase admin token as its value
Ensure that the field displayed below does not contain the secret value to prevent attackers from gaining access to it.
...
"firebase_admin_token": "",
...
Add the Google Secret URL by modifying the field below within the server configuration file.
"firebase_admin_token_secret_url": "!!! REPLACE WITH SECRET URL !!!",
Add the Google Secret version by modifying the field below within the server configuration file. Secret versions are values associated with the secret. Each time you upload a value within the secret manager, the new value is marked with a version that is the value of the previous version +1.
"firebase_admin_token_secret_version": "1",
Create a secret and use the Firebase admin token as its value
Ensure that the field displayed below does not contain the secret value to prevent attackers from gaining access to it.
...
"mysql_user_password": "",
...
Add the Google Secret URL by modifying the field below within the server configuration file.
"mysql_user_password_secret_url": "!!! REPLACE WITH SECRET URL !!!",
Add the Google Secret version by modifying the field below within the server configuration file. Secret versions are values associated with the secret. Each time you upload a value within the secret manager, the new value is marked with a version that is the value of the previous version +1.
"mysql_user_password_secret_version": "1",
Create a secret and use the Firebase admin token as its value
Ensure that the field displayed below does not contain the secret value to prevent attackers from gaining access to it.
...
"smtp_password": "",
...
Add the Google Secret URL by modifying the field below within the server configuration file.
"smtp_password_secret_url": "!!! REPLACE WITH SECRET URL !!!",
Add the Google Secret version by modifying the field below within the server configuration file. Secret versions are values associated with the secret. Each time you upload a value within the secret manager, the new value is marked with a version that is the value of the previous version +1.
"smtp_password_secret_version": "1",
Create a secret and use the Firebase admin token as its value
Ensure that the field displayed below does not contain the secret value to prevent attackers from gaining access to it.
...
"custom_server_certificate_password": "",
...
Add the Google Secret URL by modifying the field below within the server configuration file.
"custom_server_certificate_password_secret_url": "!!! REPLACE WITH SECRET URL !!!",
Add the Google Secret version by modifying the field below within the server configuration file. Secret versions are values associated with the secret. Each time you upload a value within the secret manager, the new value is marked with a version that is the value of the previous version +1.
"custom_server_certificate_password_secret_version": "1",