Novops Security Model

• Overview
• Novops security added value
• Temporary secrets and secure directories
  • With XDG_RUNTIME_DIR
  • Without XDG_RUNTIME_DIR
• Limitations
  • How can I make my setup more secure?
• External libraries and CVEs

Overview

Novops does its best to load secrets securely, but some points must be considered. In short:

• Novops ensures secrets can't be read by another user and won't be persisted by storing them directly in-memory or under secure temporary directories.
• Novops itself does not persist any secret. .novops.yml config file does not contain any secret and can be safely versionned with Git or version control tool.
• Libraries used are carefully chosen and regularly updated.

Novops security added value

Secrets are often mishandled during local development and using CI: stored permanently under git-ignored directories, $HOME/... sub-folders, spread across CI servers config...

Such manual secret management is risky even done with best practices in mind. Novops help handle secrets more securely during local development and on CI along with Secret Managers like Hashicorp Vault or Cloud secret managers.

Temporary secrets and secure directories

Novops generate secrets as environment variables and files to be used by sub-processes. Secret files are written to a tmpfs file system (in-memory file system) under a protected directory only the user running Novops (or root) can access (XDG_RUNTIME_DIR by default or a protected directory in /tmp).

In short:

• If XDG_RUNTIME_DIR exists, Novops will save files in this secure directory
• Otherwise files are saved under a user-specific /tmp directory
• Alternatively you can specify novops load -w PATH to point to a custom secure directory, though you're responsible to ensure usage of secure directory (only your user can read/write and should not be persisted)

Files potentially generated by Novops:

• novops load -s SYMLINK creates an exportable dotenv file in protected directory
• The files module generate files in protected directory by default
• Environment variables for processes are stored under /proc/${pid}/environ

This offers a better protection than keeping secrets directly on-disk or manually managing them.

With XDG_RUNTIME_DIR

If XDG_RUNTIME_DIR variable is set, secrets are stored as files under a subdirectory of XDG_RUNTIME_DIR. In short, this directory is:

• Owned and read/writable only by current user
• Bound to lifecycle of current user session (i.e. removed on logout or shutdown)
• Usually mounted as a tmpfs volume, but not necessarily (spec do not mention it)

This ensures loaded secrets are securely stored while being used and not persisted unnecessarily.

To read more about XDG Runtime Dir, see:

• Official XDG specifications
• This stack exchange post

Without XDG_RUNTIME_DIR

If XDG_RUNTIME_DIR is not available, Novops will issue a warning and try to emulate a XDG-like behavior under a /tmp sub-folder. There's no guarantee it will fully implement XDG specs, but directory is created such as:

• Owned and read/writable only by current user
• By using a /tmp sub-folder, we reasonably assume content won't persist between reboot and logout

See prepare_working_directory() in src/lib.rs

This may be less secure. Novops will issue a warning in such situation, and you're advised to use a system with XDG_RUNTIME_DIR available.

Limitations

Novops does its best to provide a more secure way of handling secrets, though it's not 100% bullet-proof:

• Using tmpfs should use in-memory file system - but secrets may be swapped to disk, which may present a security risk.
• Environment variables and files can be read by another process running as the same user running Novops.
• A root or equivalent user may be able to access secrets, even if they are in memory or in secure folders.

These are OS limitations, Novops alone can't solve them. Even Hashicorp Vault, which can be seen as a very good security tools, has similar limitations.

How can I make my setup more secure?

• Disable swap. This will prevent secrets in the protected tmpfs folder from being swapped to disk.
• Disable core dumps. A root user may be able to force core dumps and retrieve secrets from memory.

Overall, Novops is just an added security layer in your security scheme and is limited by surrounding environment and underlying usage. You should always follow security best practices for secret management.

External libraries and CVEs

Novops uses open source libraries and update them regularly to latest version to get security patches and CVE fixes.