IC-based secret sharing: Vault k8s Canister by Zondax

Hello everyone, we at Zondax have been recently working in a Proof of Concept of a decentralized secret management solution that leverages Internet Computer (IC) technology and aims to compete with existing solutions such as 1Password, Doppler, and Hashicorp Vault (among others).

Today, users face challenges in the secret management market due to complex deployment processes, high costs, vendor lock-in, security concerns in centralized systems, and limitations in customization and integration options. A new solution is needed to provide a user-friendly, secure, and cost-effective secret management experience that addresses these pain points while offering flexibility and adaptability to varying user needs.

From the point of view of users, the current secret management market has several pain points and challenges that need to be addressed:

• Security concerns: Centralized systems pose data privacy and security risks due to potential breaches.

• Complex deployment and setup: The setup process for secret management is often complex and time-consuming, particularly for businesses.

• High costs and vendor lock-in: Some secret management solutions come with high costs, including licensing, maintenance, and professional services fees. High expenses and difficulties in switching providers are common frustrations.

• Limited integrations: Many solutions don’t easily integrate with other platforms, leading to inefficiencies.

• Inconsistencies in user experience: Users may face inconsistencies in user experience across different platforms (desktop, web, mobile), leading to confusion and inefficiencies in secret management tasks.

• Insufficient support and community resources: Especially for free users, support can be insufficient, with few community resources available.

• Customization limitations: Organizations with unique needs may struggle to tailor solutions to their requirements.

Our project aims to provide means for services to share secrets in a flexible, transparent and secure way. It simplifies the flow of secret management between consumers in the cluster as well as rotate secrets based on config for added security. The product will offer a secure, decentralized infrastructure that eliminates the need for locally stored secrets, with the potential to evolve into a tokenized DAO. It will prioritize user experience, addressing common complaints about the complexity of AWS/GCP and the poor user experience of HCP.

In the future we want to keep building on top of what we have now by adding support for various secret types, adding more specialized sidecars as well as improve the distribution methods.

Discover our ongoing work here or watch our demo video.

Looking forward to your feedback!

This is an excellent product to implement on the IC.
I think the IC is the perfect platform on which to implement core application infrastructure for the wider internet due to its decentralized operation and security model.
Hashicorp Vault and Bitwarden are the two (commercial) open source code products from the web2 world that I would suggest using as models to inform your product development but I am sure you already have concrete plans in place for this.
All power to you in your development efforts, I look forward to beta testing the end results!

Where are the secrets stored? According to the sequence diagrams for the k8s example it seems that the canister does not store the secrets but instead stores who has access to the secrets and the secrets are stored outside of the IC. If that is so then how would you emulate an application like 1password?

Hi @timo Our intention is NOT to be a password manager like 1password and others, which are intended to be used by consumers. This project is more towards professional users and targets secret management for infrastructure. Our initial focus is kubernetes. Imagine an alternative to Hashicorp vault or Mozilla SOPS instead.

This initial proof of concept was around the idea of dynamic secrets, where the actual secret is irrelevant and rotates very frequently. Still, in the next stage, we are planning to leverage vetKey ICP new feature to handle static secrets, storing them on the canister, relying on it to safely keep secrets encrypted

Thanks for the support @icarus exactly, our aim is to build an alternative to Hashicorp vault or Mozilla SOPS by leveraging vetKey ICP new feature to handle static secrets, storing them on the canister, relying on it to safely keep secrets encrypted.