Documentation
Tutorials
Changelog Contribution Guide Environment Setup Localization and Translation in the Open Innovation lab Technical guide for API developers CI Workflow Deployment Guide Reviewing pull requests Secret Access/Management

Tutorial

Secret Access/Management

Project Secrets and Security

Introduction

This section provides an overview of how secrets and sensitive credentials are handled, accessed, and secured within the MOOCs platform project. The project adopts a security-focused approach to protect confidential information and maintain the integrity of the system. Keybase is utilized as a secure storage solution, and access to project secrets is tightly controlled to ensure only authorized individuals can manage and utilize them.

Community Security Reporting

We value the participation of the community in ensuring the security of our MOOCs platform. If you discover a security vulnerability or any potential security-related issues within our system, we encourage you to report it to us promptly. We have established a responsible disclosure process to address such reports and take necessary actions to protect our platform and its users.

To report a security concern, please follow these steps:

  1. Gather Information: Collect all relevant details about the security vulnerability or issue, including steps to reproduce, impact, and any supporting evidence.

  2. Contact Us: Send an email to our dedicated security email address, admin@oscsa.com, to report the security concern. Please provide a clear and concise description of the issue along with any relevant attachments or documentation.

  3. Responsibility and Collaboration: We commit to treat all security reports seriously and work with you to investigate and address the reported concerns. We kindly request that you refrain from publicly disclosing the issue until we have had a chance to evaluate and address it.

  4. Acknowledgment: Once we receive your report, we will acknowledge it within a reasonable timeframe and keep you informed of our progress in resolving the issue.

By adhering to responsible disclosure practices, we can collaborate to ensure the security of our platform and protect the interests of our users and community.

Keybase for Secrets Storage

Keybase is utilized as the central repository for storing project secrets and sensitive credentials. Keybase provides end-to-end encryption and secure sharing capabilities, ensuring that the secrets are protected both at rest and in transit. Access to the Keybase repository is restricted to authorized project maintainers only. In our MOOCs platform project, we utilize Keybase for secure storage and management of our sensitive credentials and secrets. Keybase provides end-to-end encryption and secure communication channels, allowing us to securely store and share sensitive information among trusted team members.

Access and Authorization

Access to the Keybase team is limited to authorized individuals who are involved in the project and have a need to access the stored secrets. To gain access to Keybase and its secrets, follow these steps:

  1. Authorization: To become authorized, you need to request access from the project head or an existing maintainer. This is typically done by contacting them through email or other communication channels specified by the project.

  2. Invitation: Once authorized, you will receive an invitation to join the project's Keybase team. This invitation is usually sent via email and contains instructions on how to proceed.

  3. Joining the Keybase Team: Follow the instructions provided in the invitation to join the Keybase team. This may involve creating a Keybase account if you don't have one already and installing the Keybase application on your device.

  4. Secure Communication: Once you have joined the Keybase team, you can securely communicate with other team members and access the stored secrets. Keybase provides encryption and secure messaging channels to ensure that sensitive information remains protected.

Storing Secrets in Keybase

Keybase offers various methods to store and manage secrets securely within the team. These methods may include:

  • Encrypted Files: Secrets can be stored as encrypted files within Keybase. These files are accessible only to authorized team members and require appropriate permissions to view or modify.

  • Secure Channels: Keybase provides secure messaging channels where secrets can be shared among team members. These channels ensure that sensitive information remains confidential and protected.

  • Other Methods: Keybase also offers other methods for storing and managing secrets, such as encrypted chat rooms and encrypted git repositories. These methods may be used depending on the project's requirements and preferences.

GitHub Repository Secrets

In our MOOCs platform project, we utilize GitHub repository secrets to securely store sensitive information and credentials related to our development and deployment processes. GitHub repository secrets provide a way to securely access and use sensitive data within GitHub Actions workflows and other automated processes.

Purpose of Repository Secrets

The primary purpose of repository secrets is to safeguard sensitive information that is required during the development, testing, and deployment stages of our project. Examples of sensitive data that can be stored as repository secrets include:

  • API keys and access tokens for third-party services
  • Database credentials
  • Encryption keys and secrets
  • Environment-specific configuration values
  • Any other sensitive data required for the project's operation

By storing these sensitive credentials and information as repository secrets, we ensure that they are not exposed in our project's source code or visible to unauthorized individuals. This helps maintain the security and integrity of our project.

Access and Management

Access to repository secrets is limited to authorized individuals who have the necessary permissions to manage and work on the project. As a maintainer or contributor, you may be granted access to repository secrets based on your role and responsibilities.

To access and manage repository secrets, follow these steps:

  1. Authorization: As a maintainer, you will need to be authorized by the project head or an existing maintainer. This typically involves being added as a collaborator to the project repository on GitHub.

  2. Invitation: Once authorized, you will receive an invitation to join the project's Keybase team. This is where the repository secrets are securely stored and shared among trusted team members.

  3. Keybase Integration: Keybase provides end-to-end encryption and secure communication channels for managing sensitive information. Install the Keybase application on your device and follow the instructions provided in the invitation to join the project's team.

  4. Accessing Repository Secrets: After joining the Keybase team, you will have access to the shared repository secrets. These secrets are typically stored in encrypted files or securely communicated within the team through Keybase channels.

  5. Usage in Workflows: In GitHub Actions workflows or other automated processes, you can reference the repository secrets using environment variables or specific syntax provided by the automation tool or framework being used.

Security Best Practices

The project follows industry-standard security best practices to safeguard project secrets and maintain a secure development environment. These practices include:

  • Regularly rotating secrets and credentials to minimize the risk of unauthorized access.
  • Limiting access permissions to project repositories and secrets on a need-to-know basis.
  • Employing strong and unique passwords for all accounts and services used in the project.
  • Regularly updating and patching software dependencies and libraries to mitigate potential vulnerabilities.
  • Conducting periodic security audits and vulnerability assessments to identify and address any potential security risks.

By following these practices, we maintain a high level of security for our project's sensitive information and minimize the risk of unauthorized access or exposure.

It is important to emphasize that repository secrets should never be committed to the project's source code repository directly or shared with individuals who are not authorized to access them. They are strictly meant for internal project use and should be handled with utmost care and discretion.

Conclusion

Protecting project secrets and sensitive credentials is of paramount importance to the MOOCs platform project. By utilizing Keybase for secrets storage, implementing a strict access control process, and adhering to security best practices, the project maintains a secure environment for managing confidential information. These measures ensure the integrity, confidentiality, and availability of project secrets while minimizing the risk of unauthorized access or data breaches.