Skip to content

security: encrypt Stellar secret key at rest in configuration #17

Description

@snowrugar-beep

Problem Statement

STELLAR_SECRET_KEY is loaded from environment variable but is accessible as plaintext via ConfigService throughout the application runtime. If an attacker gains access to the running process (via RCE, memory dump, or logging), they can read the secret key and authorize on-chain transactions.

Evidence

  • Backend/src/config/configuration.ts lines 20-22: STELLAR_SECRET_KEY loaded from env, available via ConfigService.get()
  • No encryption-at-rest for secrets

Impact

Secrets compromise could lead to unauthorized on-chain transactions, fund loss, or contract manipulation.

Proposed Solution

  1. Use AWS Secrets Manager or HashiCorp Vault for secret storage
  2. Retrieve secret at startup and decrypt in memory
  3. Zero out memory after use where possible
  4. Add audit logging for secret access (without logging the secret itself)
  5. Ensure secrets are never logged or exposed in error messages

Technical Requirements

  • Secrets must never be logged or serialized
  • Memory should be cleared after use (Buffer.alloc or similar)
  • Must work with both local dev and production (different secret providers)
  • Must handle rotation of secrets gracefully

Acceptance Criteria

  1. Secret key is not directly logged on startup
  2. Error messages do not include secret key values
  3. AWS Secrets Manager integration works in production
  4. Local .env file works for development
  5. Memory containing secret is cleared after signing

File Inventory

  • Backend/src/config/configuration.ts
  • Backend/src/soroban/soroban.service.ts

Dependencies

Issue #4 (real Soroban integration) — secret becomes more critical when real integration exists.

Testing Strategy

  • Unit test: verify secret is not in error messages
  • Integration test: AWS Secrets Manager retrieval
  • Manual: inspect logs for any secret leakage

Security Considerations

Primary secrets management improvement. Must be implemented before production deployment.

Definition of Done

  • Secrets provider integrated
  • Secrets not logged
  • Memory cleared
  • Tests passing

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions