Key Management secrets engine

[pdrivom]

Is your feature request related to a problem? Please describe.
Storing JWT encryption key on a server, it's not the most secure option. Using a Key Management engine, makes it safer for production setting.

Describe the solution you'd like
Use Hashicorp Vault integration for DB credentials (with auto-rotating), JWT secrets, etc.

[seapagan]

True, but it is currently acceptable for the state of the API. Bearing in mind that if you are using Netlify or similar you can store the environment variables in their secure systems anyway.

If a bad actor has access to your server, the JWT secret is only the start of your problem 🤷‍♂️

I'll convert this issue into a discussion for now and when the project is more advanced we can look at integrating it.

[pdrivom]

Hi @seapagan, this options should be configurable as well. Depending on the cloud provider they have their own solution for Key Management Service. But for the ones not using cloud provider this option would enhance greatly the security.

A very common case is the leak of the secret, so, any option to mitigate that by default, is a good effort.

[seapagan]

I have looked at this again, and stil cant see the justification for the extra complexity as the projects stands.

However, I have implemented #842 which allows the use of a "Secrets Directory" using the functionality built in to pydantic-settings, enabled for all password-like options. A proper secret directory, outside the app folders and with proper permissions (superuser owned and read-only for the api user) mitigates the posibility of "leak of the secret" above (which honestly a KMS does not)