reinitialized.net/infrastructure
2
0
Fork 0
Code Issues 37 Pull requests Projects Releases Packages Wiki Activity Actions

[HIGH] Hardcoded cryptographic keys in Hudu example secrets #17

New issue
Open
opened 2026-05-05 15:44:08 -05:00 by pjennings · 0 comments
pjennings commented 2026-05-05 15:44:08 -05:00
Owner
Copy link

Labels: area:security, area:containers, priority:high, type:bug

Description

In modules/secrets.example/apps1.nix, the Hudu configuration contains what appear to be real cryptographic values:

  • SECRET_KEY_BASE (64 hex chars)
  • PASSWORD_KEY (32 hex chars)
  • TWO_FACTOR_KEY (32 hex chars)

These have proper hex format suggesting they may be real production values.

Impact

If real: SECRET_KEY_BASE enables session forgery, PASSWORD_KEY enables password decryption, TWO_FACTOR_KEY enables 2FA bypass.

Recommended Fix

  1. IMMEDIATELY rotate all three keys if they are real values
  2. Replace with obvious placeholders
  3. Move to encrypted secrets management
**Labels:** area:security, area:containers, priority:high, type:bug ## Description In modules/secrets.example/apps1.nix, the Hudu configuration contains what appear to be real cryptographic values: - SECRET_KEY_BASE (64 hex chars) - PASSWORD_KEY (32 hex chars) - TWO_FACTOR_KEY (32 hex chars) These have proper hex format suggesting they may be real production values. ## Impact If real: SECRET_KEY_BASE enables session forgery, PASSWORD_KEY enables password decryption, TWO_FACTOR_KEY enables 2FA bypass. ## Recommended Fix 1. IMMEDIATELY rotate all three keys if they are real values 2. Replace with obvious placeholders 3. Move to encrypted secrets management
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
indev
No results found.
Labels
Clear labels   
area:documentation

Documentation, inventory, runbooks

  
area:infrastructure

Infrastructure services and hardware

  
area:network

Network, firewall, and connectivity

  
area:security

Security vulnerabilities and findings

  
priority:critical

Fix immediately — active risk

  
priority:high

Fix within 1-2 weeks

  
priority:low

Backlog — hardening and best practices

  
priority:medium

Fix within 1 month

  
status:blocked

Blocked on dependency or decision

  
type:bug

Misconfiguration or broken behavior

  
type:deployment

New service or system deployment

  
type:enhancement

Improvement or hardening

  
type:investigation

Needs research or identification

No labels
area:documentation
area:infrastructure
area:network
area:security
priority:critical
priority:high
priority:low
priority:medium
status:blocked
type:bug
type:deployment
type:enhancement
type:investigation
Milestone
Clear milestone
No items
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
reinitialized.net/infrastructure#17
No description provided.