1Password targets developers with Secrets Automation, acquisition of SecretHub

Existing users covered until 2022

Password specialist 1Password has acquired SecretHub, a secrets management platform aimed at IT engineers, and made a new service called Secrets Automation, previously in beta, generally available.

The proliferation of passwords and SSH keys in modern IT has brought with it a tricky management problem, not only for people but also for machine-to-machine communications. Developers may struggle to keep secrets such as database logins secure, when their code will not function without them.

In 2019 researchers at North Carolina State University scanned code publicly committed to GitHub and found [PDF] that "not only is secret leakage pervasive — affecting over 100,000 repositories — but that thousands of new, unique secrets are leaked every day." In June 2020, security researcher Craig Hays deliberately leaked server credentials in a GitHub repository and observed an unauthorised login just 34 minutes later.

Secrets Automation uses a Connect Server, delivered as a Docker container, which users deploy in their environment. This provides a REST API which applications and services call to get the credentials they need.


Step by step. Source: 1Password. Click to enlarge

These requests are authenticated with an access token, unique to each application or service. 1Password provides API client libraries for Go, Node.js and Python, and there are plugins for tools including Terraform, Kubernetes, Hashicorp Vault, and Ansible.

There is also an upcoming integration with GitHub; VP of partner engineering Dana Lawson said that "with the upcoming GitHub and 1Password Secrets Automation integration, teams will be able to fully automate all of their infrastructure secrets," but no further details are available yet. GitHub also has its own Secrets API as part of its Actions DevOps service.

Developers and admins still have the task of managing the access tokens themselves, though these can be stored in 1Password. We presume that embedding them in code is a bad idea, even though the 1Password sample code for Node looks like this:

const op = OnePasswordConnect({
        serverUrl: "http://localhost:8000",
        token: "my-token",
        keepAlive: true,

1Password's chief product officer, Akshay Bhargava, acknowledged that Secrets Automation does not fix this part of the problem, telling us that "we've purposely designed Secrets Automation to allow customers using tokens to narrow the scope of access to the secrets needed by each part of their infrastructure. It does mean that the token now has that access, so deploying it as a protected secret in your infrastructure is important.

"This could be a Kubernetes secret, an environment variable, or a managed secret in the various cloud platform stacks, etc. This isn't about delivering secure credentials for the connect server to the application. But instead it is about delivering infrastructure secrets through 1Password to the applications securely. More things will be ported over, but we are sunsetting the SecretHub product."

The price of the new service is based on the number of tokens issued and the number of vaults they access. A free tier offers three credits per month, then pricing starts at $29 per month for 25 credits.

Secrets Automation was developed by 1Password; what will happen to the existing SecretHub product following the acquisition? "There are going to be some key features from SecretHub that will make their way into the Secrets Automation product," Bhargava told The Register.

Former SecretHub CEO Marc Mackenbach, who is now joining 1Password, said that existing users "can continue to use SecretHub as you currently do until January 1st, 2022." ®

Similar topics

Other stories you might like

  • Robotics and 5G to spur growth of SoC industry – report
    Big OEMs hogging production and COVID causing supply issues

    The system-on-chip (SoC) side of the semiconductor industry is poised for growth between now and 2026, when it's predicted to be worth $6.85 billion, according to an analyst's report. 

    Chances are good that there's an SoC-powered device within arm's reach of you: the tiny integrated circuits contain everything needed for a basic computer, leading to their proliferation in mobile, IoT and smart devices. 

    The report predicting the growth comes from advisory biz Technavio, which looked at a long list of companies in the SoC market. Vendors it analyzed include Apple, Broadcom, Intel, Nvidia, TSMC, Toshiba, and more. The company predicts that much of the growth between now and 2026 will stem primarily from robotics and 5G. 

    Continue reading
  • Deepfake attacks can easily trick live facial recognition systems online
    Plus: Next PyTorch release will support Apple GPUs so devs can train neural networks on their own laptops

    In brief Miscreants can easily steal someone else's identity by tricking live facial recognition software using deepfakes, according to a new report.

    Sensity AI, a startup focused on tackling identity fraud, carried out a series of pretend attacks. Engineers scanned the image of someone from an ID card, and mapped their likeness onto another person's face. Sensity then tested whether they could breach live facial recognition systems by tricking them into believing the pretend attacker is a real user.

    So-called "liveness tests" try to authenticate identities in real-time, relying on images or video streams from cameras like face recognition used to unlock mobile phones, for example. Nine out of ten vendors failed Sensity's live deepfake attacks.

    Continue reading
  • Lonestar plans to put datacenters in the Moon's lava tubes
    How? Founder tells The Register 'Robots… lots of robots'

    Imagine a future where racks of computer servers hum quietly in darkness below the surface of the Moon.

    Here is where some of the most important data is stored, to be left untouched for as long as can be. The idea sounds like something from science-fiction, but one startup that recently emerged from stealth is trying to turn it into a reality. Lonestar Data Holdings has a unique mission unlike any other cloud provider: to build datacenters on the Moon backing up the world's data.

    "It's inconceivable to me that we are keeping our most precious assets, our knowledge and our data, on Earth, where we're setting off bombs and burning things," Christopher Stott, founder and CEO of Lonestar, told The Register. "We need to put our assets in place off our planet, where we can keep it safe."

    Continue reading

Biting the hand that feeds IT © 1998–2022