I'm working on a CMDB like application, where I have to store our security credentials (servers usernames & passwords, ...).
I'm looking for the best way to store them securely with those constraints :
- Most users will NOT have access to all credentials (depending on user role)
- We don't want all passwords being encrypted with the same key (already tried : when a user leave the company, it's a pain to change the key...)
- Indeed, we don't want any private key to be hard written in app source, or even stored anywhere (in our previous version, private key was stored between our ears...)
- We need to realize passwords strength audits (ie. parse decrypted passwords from a script)
- There must not be any case where we can not access our credentials anymore (lost key, ...) => we don't want unauthorized persons to look at them but we don't want to loose them either => solution for this constraint could be regular export into a physical locker...
I'm not asking about application (https, ...) or database (no public access, ...) security concerns themselves but only about the storage side (could even NOT be in a database...? encrypted files or something...) : Is it possible to prevent someone, even having access to app code or database content (worst case scenario), to be able to read decrypted credentials ?
I'm aware that I'm asking for some magic solution, but I want to know it if it exists ;o)
The general case of what you're asking to do is not possible. All types of modern cryptography are mechanical advantage. That is, they use a small secret to guard a larger secret. If you can't keep the small secret safe, there is no safety. If you want the ability to give passwords on a password by password basis to someone, you are effectively giving them the secret -- the passwords -- that they would need to gain access to the items in question.
This very problem is why federated identity systems (Kerberos/Active Directory/etc.) systems exist -- to allow a central machine to authenticate users without exposing secrets to said users. But using a federated identity system requires cooperation between the system-to-be-logged-in-to and the identity service.