5.0 KiB
5.0 KiB
Secrets Management สำหรับ LCBP3-DMS
📍 Version: v1.8.0 ⚠️ Security Level: CONFIDENTIAL
Overview
เอกสารนี้อธิบายวิธีการจัดการ Secrets และ Sensitive Data สำหรับ LCBP3-DMS
1. Secret Categories
| Category | Examples | Storage Location |
|---|---|---|
| Database Credentials | MYSQL_ROOT_PASSWORD |
.env file (gitignored) |
| API Keys | JWT_SECRET, REDIS_PASSWORD |
.env file (gitignored) |
| SSL Certificates | Let's Encrypt certs | NPM volume |
| SSH Keys | Backup access keys | ASUSTOR secure storage |
2. Environment File Structure
2.1 Main Environment File
# File: /share/np-dms/.env (QNAP)
# ⚠️ This file MUST be in .gitignore
# === Database ===
MYSQL_ROOT_PASSWORD=<strong-password>
MYSQL_DATABASE=lcbp3_db
MYSQL_USER=lcbp3_user
MYSQL_PASSWORD=<strong-password>
# === Redis ===
REDIS_PASSWORD=<strong-password>
# === Application ===
JWT_SECRET=<random-256-bit-string>
SESSION_SECRET=<random-256-bit-string>
# === Monitoring ===
GRAFANA_PASSWORD=<admin-password>
# === External Services ===
LINE_CHANNEL_SECRET=<line-secret>
LINE_CHANNEL_ACCESS_TOKEN=<line-token>
SMTP_PASSWORD=<email-password>
2.2 Docker Compose Override (Optional)
# File: /share/np-dms/docker-compose.override.yml
# For additional local development secrets
services:
backend:
environment:
- DEBUG_MODE=true
- LOG_LEVEL=debug
3. Secret Generation
3.1 Generate Strong Passwords
# Generate random 32-character password
openssl rand -base64 32
# Generate random hex string (for JWT)
openssl rand -hex 64
3.2 Recommended Password Policy
| Type | Length | Characters | Example Tool |
|---|---|---|---|
| Database | 24+ | Alphanumeric + symbols | openssl rand -base64 32 |
| JWT Secret | 64+ | Hex | openssl rand -hex 64 |
| API Keys | 32+ | Alphanumeric | openssl rand -base64 32 |
4. Secret Rotation
4.1 Rotation Schedule
| Secret Type | Rotation Period | Impact on Services |
|---|---|---|
| JWT Secret | 90 days | Users need to re-login |
| Database Password | 180 days | Requires restart |
| Redis Password | 180 days | Requires restart |
| SSL Certificates | Auto (Let's Encrypt) | None |
4.2 Rotation Procedure
# 1. Update .env file with new secret
nano /share/np-dms/.env
# 2. Restart affected services
docker-compose up -d --force-recreate backend
# 3. Verify services are running
docker ps
curl https://backend.np-dms.work/health
5. Access Control
5.1 Who Has Access
| Role | .env Access | Server SSH | Backup Access |
|---|---|---|---|
| System Admin | ✅ Full | ✅ Full | ✅ Full |
| DevOps | ✅ Read | ✅ Limited | ❌ None |
| Developer | ❌ None | ❌ None | ❌ None |
5.2 Audit Logging
# View SSH login attempts
tail -100 /var/log/auth.log
# Monitor file access
auditctl -w /share/np-dms/.env -p rwa -k secrets_access
6. Emergency Procedures
6.1 Secret Compromised
- Immediately rotate the compromised secret
- Check access logs for unauthorized access
- Notify security team
- Document incident
6.2 Lost Access to Secrets
- Contact QNAP Admin for direct access
- Use backup
.envfrom ASUSTOR (encrypted) - If both unavailable, regenerate all secrets and reset passwords
7. Backup of Secrets
# Encrypted backup of .env (run on QNAP)
gpg --symmetric --cipher-algo AES256 \
/share/np-dms/.env -o /tmp/env.gpg
# Copy to ASUSTOR
scp /tmp/env.gpg admin@192.168.10.9:/volume1/backup/secrets/
# Clean up
rm /tmp/env.gpg
7.1 Restore from Backup
# Copy from ASUSTOR
scp admin@192.168.10.9:/volume1/backup/secrets/env.gpg /tmp/
# Decrypt
gpg --decrypt /tmp/env.gpg > /share/np-dms/.env
# Clean up
rm /tmp/env.gpg
8. Checklist
.envfile exists and is configured.envis in.gitignore- All passwords are strong (24+ characters)
- JWT secret is 64+ hex characters
- Encrypted backup of secrets exists on ASUSTOR
- Access control is properly configured
- Rotation schedule is documented
⚠️ Security Warning: ห้ามเก็บ secrets ใน version control หรือ commit ไปยัง Git repository
📝 หมายเหตุ: เอกสารนี้อ้างอิงจาก Architecture Document v1.8.0