libscie/researchequals-api
1
0
Fork 0
Code Issues 18 Pull requests Projects Releases Packages Activity

Encrypt OTP secret in rests #11

New issue
Open
opened 2025-07-22 18:43:10 +00:00 by chartgerink · 0 comments
chartgerink commented 2025-07-22 18:43:10 +00:00
Owner
Copy link

Currently, we store the base32 secret, used for one time password validation, in the database. This is common practice, but not necessarily best practice.

This issue tracks the work to allow for encrypting OTP secrets in rest. This requires an encryption key stored separately from the database, which is ephemerally retrieved when the base32 secret needs to be decrypted for validating an OTP code.

Implementing this is perfectly possible when specified for one installation, but I am not yet sure how to design this for self-hosting. It could be done using Hashicorp Vault, but if this is a dependency needed to do self-hosting it increases the architecture needed to self-host.

Until the design is clear and we can implement this in a reliable manner that can be deployed without additional overhead, we will rely on base32 secrets that are not encrypted at rest. When someone has access to the database, OTP secrets are not the biggest problem to deal with for our specific scenario.

Currently, we store the base32 secret, used for one time password validation, in the database. This is common practice, but not necessarily best practice. This issue tracks the work to allow for encrypting OTP secrets in rest. This requires an encryption key stored separately from the database, which is ephemerally retrieved when the base32 secret needs to be decrypted for validating an OTP code. Implementing this is perfectly possible when specified for one installation, but I am not yet sure how to design this for self-hosting. It could be done using Hashicorp Vault, but if this is a dependency needed to do self-hosting it increases the architecture needed to self-host. Until the design is clear and we can implement this in a reliable manner that can be deployed without additional overhead, we will rely on base32 secrets that are not encrypted at rest. When someone has access to the database, OTP secrets are not the biggest problem to deal with for our specific scenario.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
No results found.
Labels
Clear labels   
bug

Something is not working

  
critical

issues that are blocking other work, high importance + urgent

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
future

Not on the docket right now. Keeping the issue for future work.

  
help wanted

Need some help

  
invalid

Something is wrong

  
question

More information is needed

  
wontfix

This won't be fixed

No labels
bug
critical
duplicate
enhancement
future
help wanted
invalid
question
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: libscie/researchequals-api#11
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?