This article is more than 1 year old
1Password targets developers with Secrets Automation, acquisition of SecretHub
Existing users covered until 2022
Password specialist 1Password has acquired SecretHub, a secrets management platform aimed at IT engineers, and made a new service called Secrets Automation, previously in beta, generally available.
The proliferation of passwords and SSH keys in modern IT has brought with it a tricky management problem, not only for people but also for machine-to-machine communications. Developers may struggle to keep secrets such as database logins secure, when their code will not function without them.
In 2019 researchers at North Carolina State University scanned code publicly committed to GitHub and found [PDF] that "not only is secret leakage pervasive — affecting over 100,000 repositories — but that thousands of new, unique secrets are leaked every day." In June 2020, security researcher Craig Hays deliberately leaked server credentials in a GitHub repository and observed an unauthorised login just 34 minutes later.
Secrets Automation uses a Connect Server, delivered as a Docker container, which users deploy in their environment. This provides a REST API which applications and services call to get the credentials they need.
These requests are authenticated with an access token, unique to each application or service. 1Password provides API client libraries for Go, Node.js and Python, and there are plugins for tools including Terraform, Kubernetes, Hashicorp Vault, and Ansible.
There is also an upcoming integration with GitHub; VP of partner engineering Dana Lawson said that "with the upcoming GitHub and 1Password Secrets Automation integration, teams will be able to fully automate all of their infrastructure secrets," but no further details are available yet. GitHub also has its own Secrets API as part of its Actions DevOps service.
Developers and admins still have the task of managing the access tokens themselves, though these can be stored in 1Password. We presume that embedding them in code is a bad idea, even though the 1Password sample code for Node looks like this:
const op = OnePasswordConnect({ serverUrl: "http://localhost:8000", token: "my-token", keepAlive: true, });
1Password's chief product officer, Akshay Bhargava, acknowledged that Secrets Automation does not fix this part of the problem, telling us that "we've purposely designed Secrets Automation to allow customers using tokens to narrow the scope of access to the secrets needed by each part of their infrastructure. It does mean that the token now has that access, so deploying it as a protected secret in your infrastructure is important.
"This could be a Kubernetes secret, an environment variable, or a managed secret in the various cloud platform stacks, etc. This isn't about delivering secure credentials for the connect server to the application. But instead it is about delivering infrastructure secrets through 1Password to the applications securely. More things will be ported over, but we are sunsetting the SecretHub product."
The price of the new service is based on the number of tokens issued and the number of vaults they access. A free tier offers three credits per month, then pricing starts at $29 per month for 25 credits.
Secrets Automation was developed by 1Password; what will happen to the existing SecretHub product following the acquisition? "There are going to be some key features from SecretHub that will make their way into the Secrets Automation product," Bhargava told The Register.
Former SecretHub CEO Marc Mackenbach, who is now joining 1Password, said that existing users "can continue to use SecretHub as you currently do until January 1st, 2022." ®