Add security section to docs and new YT video

Infisical · Nov 20, 2022 · 870a66c · 870a66c
1 parent 67b21e8
commit 870a66c
Show file tree

Hide file tree

Showing 18 changed files with 137 additions and 56 deletions.
diff --git a/docs/getting-started/cli/cli-guide.mdx b/docs/getting-started/cli/cli-guide.mdx
@@ -2,6 +2,8 @@
 title: "Usage"
 ---
 
+Prerequisite: [Install the CLI](../../getting-started/cli/installation)
+
 ## Login
 
 Login in using the `login` command in your terminal. Logging in is a one-time, post-installation action that authenticates you with the platform — to change users, you can run the command again.

diff --git a/docs/getting-started/cli/installation.mdx b/docs/getting-started/cli/installation.mdx
@@ -2,7 +2,7 @@
 title: "Installation"
 ---
 
-Prerequisite: Setup an account with Infisical Cloud or via self-hosted installation.
+Prerequisite: [Setup an account](../../getting-started/dashboard/create-account) with Infisical Cloud or via self-hosted installation.
 
 Follow the guide for your OS below to install the CLI.
 

diff --git a/docs/getting-started/dashboard/create-account.mdx b/docs/getting-started/dashboard/create-account.mdx
@@ -14,7 +14,11 @@ If you're using a self-hosted installation, follow the [setup](/self-hosting/ove
 
 **Step 2:** Fill out the signup sequence.
 
-After verifying your email address, you'll be prompted to fill out some required fields to set up your account.
+![signup start](../../images/signup-box.png)
+![signup one-time password](../../images/signup-otp.png)
+![signup complete account](../../images/signup-complete-account.png)
+
+You'll be prompted to fill out some required fields to set up your account.
 
 | Field      | Description                 |
 | ---------- | --------------------------- |

diff --git a/docs/getting-started/dashboard/token.mdx b/docs/getting-started/dashboard/token.mdx
@@ -8,7 +8,7 @@ It grants read-only access to a particular environment and project for a specifi
 
 This is useful in the following contexts:
 
-- Docker/Docker-Compose integration: An Infisical Token can be passed to a Docker container as an environment variable for the CLI to authenticate and pull its corresponding secrets.
+- [Docker](../../integrations/docker)/[Docker-Compose](../../integrations/docker-compose) integration: An Infisical Token can be passed to a Docker container as an environment variable for the CLI to authenticate and pull its corresponding secrets.
 
 ## Generate an Infisical Token
 

diff --git a/docs/getting-started/introduction.mdx b/docs/getting-started/introduction.mdx
@@ -2,6 +2,12 @@
 title: "Introduction"
 ---
 
+<iframe
+  src="https://www.youtube.com/embed/0q_IroMV1ns"
+  width="100%"
+  height="400"
+></iframe>
+
 Infisical is an [open-source](https://opensource.com/resources/what-open-source), end-to-end encrypted (E2EE) secret manager that enables teams to easily manage and sync their environment variables.
 
 It stops [secret sprawl](https://www.gitguardian.com/glossary/secret-sprawl-definition) by providing a single source-of-truth for environment variables. It offers a dashboard for teams to manage environment variables and a platform-agnostic CLI to inject them into apps and infrastructure.

diff --git a/docs/getting-started/security/data-model.mdx b/docs/getting-started/security/data-model.mdx
@@ -0,0 +1,27 @@
+---
+title: "Data Model"
+---
+
+Infisical stores a range of data namely user, secrets, keys, organization, project, and membership data.
+
+## Users
+
+The `User` model includes the fields `email`, `firstName`, `lastName`, `publicKey`, `encryptedPrivateKey`, `iv`, `tag`, `salt`, `verifier`, and `refreshVersion`.
+
+Infisical makes a usability-security tradeoff to give users convenient access to public-private key pairs across different devices upon login, solving key-storage and transfer challenges across device and browser mediums, in exchange for it storing `encryptedPrivateKey`. In any case, private keys are symmetrically encrypted locally by user passwords which are not sent to the server — this is done with SRP.
+
+## Secrets
+
+The `Secret` model includes the fields `workspace`, `type`, `user`, `environment`, `secretKeyCiphertext`, `secretKeyIV`, `secretKeyTag`, `secretKeyHash`, `secretValueCiphertext`, `secretValueIV`, `secretValueTag`, and `secretValueHash`.
+
+Each secret is symmetrically encrypted by the key of the project that it belongs to; that key's encrypted copies are stored in a separate `Key` collection.
+
+## Keys
+
+The `Key` model includes the fields `encryptedKey`, `nonce`, `sender`, `receiver`, and `workspace`.
+
+Infisical stores copies of project keys, one for each member of a project, encrypted under each member's public key.
+
+## Organizations and Workspaces
+
+The `Organization`, `Workspace`, `MembershipOrg`, and `Membership` models contain enrollment information for organizations and projects; they are used to check if users are authorized to retrieve select secrets.
diff --git a/docs/getting-started/security/mechanics.mdx b/docs/getting-started/security/mechanics.mdx
@@ -0,0 +1,24 @@
+---
+title: "Mechanics"
+---
+
+## Signup
+
+During account signup, a user confirms their email address via OTP, generates a public-private key pair to be stored locally (private keys are symmetrically encrypted by the user's newly-made password), and forwards SRP-related values and user identifier information to the server. This includes `email`, `firstName`, `lastName`, `publicKey`, `encryptedPrivateKey`, `iv`, `tag`, `salt`, `verifier`, and `organizationName`.
+
+Once authenticated via SRP, a user is issued a JWT and refresh token. The JWT token is stored in browser memory under a write-only class `SecurityClient` that appends the token to all future outbound requests requiring authentication. The refresh token is stored in an `HttpOnly` cookie and included in future requests to `/api/token` for JWT token renewal. This design side-steps potential XSS attacks on local storage.
+
+<Info>
+  Infisical authenticates users using the SRP protocol. With SRP, the server can
+  authenticate users without ever seeing their passwords.
+</Info>
+
+## Invitation
+
+After signing up, a user can invite other users to their organization to partake in projects — An invitation here consists of an email verification link sent to the invitee to confirm their identity if they've not previously signed up to Infisical. Both organization and project invites authorize invitees for resources but project invites differ in that they also involve sharing project keys by encrypting them under the invitees' public keys.
+
+## Pushing/Pulling Secrets
+
+To push secrets, a sender randomly-generates a symmetric encryption key, uses that key to encrypt their secret keys and values separately, asymmetrically encrypts the key with the receivers’ public keys, and uploads the encrypted secrets and keys to the server.
+
+To pull secrets, a receiver obtains encrypted secret keys and values and their encrypted copy of the project key to decrypt the secrets from the server — they asymmetrically decrypt the key using their private key and use the decrypted key to decrypt the secrets. This public-key mechanism prevents the server-side from reading any secrets.
diff --git a/docs/getting-started/security/overview.mdx b/docs/getting-started/security/overview.mdx
@@ -0,0 +1,20 @@
+---
+title: "Overview"
+---
+
+## Summary
+
+Infisical uses end-to-end encryption (E2EE) whenever possible to securely store and share secrets. It uses secure remote password (SRP) to handle authentication and public-key cryptography for secret sharing and syncing; secrets are symmetrically encrypted at rest by keys decryptable only by members of the project.
+
+Infisical uses AES256-GCM for symmetric encryption and x2519-xsalsa20-poly1305 for asymmetric encryption operations mentioned in this brief; key generation and asymmetric algorithms are implemented with the [TweetNaCl.js](https://tweetnacl.js.org/#/) library which has been well-audited and recommended for use by cybersecurity firm Cure53. Lastly, the secure remote password (SRP) implementation uses [jsrp](https://github.com/alax/jsrp) package for user authentication. As part of our commitment to user privacy and security, we aim to conduct formal security and compliance audits in the following year.
+
+## Scope
+
+Infisical's security model spans sensitive data stored on the server-side and in transit between user devices; it makes no security guarantees for malicious events that can occur beyond its control such as user-device security exploits or key-logging arising from poor cybersecurity management on the users’ behalf.
+
+## Lingo
+
+In subsequent sections, we refer:
+
+- To users uploading their secrets to Infisical as “senders” and those receiving secrets as “receivers". For instance, if Bob and Alice are both enrolled in a project and Bob adds new secrets to the project to be pulled by Alice, then Bob is considered to be the sender and Alice the receiver.
+- To any activity involving uploading or modifying secrets to Infisical as "pushing" and fetching secrets from Infisical as "pulling."
diff --git a/docs/getting-started/security/statement.mdx b/docs/getting-started/security/statement.mdx
@@ -0,0 +1,11 @@
+---
+title: "Statement"
+---
+
+As a secrets manager, we are deeply committed to enforcing the privacy and security of all users and data on the platform but acknowledge that it is virtually impossible to guarantee perfect security; unfortunately, even the most secure systems have vulnerabilities.
+
+As part of our commitment, we do our best to maintain platform privacy and security, notify users if anything goes wrong, and rectify adverse situations immediately if anything happens. As Infisical grows, we will be adding more opt-in security measures to ensure better data protection and maintain trust within the growing community. With that, let’s make the most simple and secure secrets management system out there!
+
+Best,
+
+Infisical Team
diff --git a/docs/images/signup-box.png b/docs/images/signup-box.png
diff --git a/docs/images/signup-complete-account.png b/docs/images/signup-complete-account.png
diff --git a/docs/images/signup-otp.png b/docs/images/signup-otp.png
diff --git a/docs/integrations/docker-compose.mdx b/docs/integrations/docker-compose.mdx
@@ -2,22 +2,4 @@
 title: "Docker Compose"
 ---
 
-## Instructions
-
-### Step 1: Open the integrations csonsole
-
-Open the Infisical Dashboard. Choose the project in which you want to set up the intergation. Go to the integrations tab in the left sidebar.
-
-### Step 2: Authenticate with Heroku
-
-Click on Heroku in the list of available integrations. Log in if asked by Heroku and provide the necessary permissions to Infisical. You will afterwards be redirected back to the integrations page.
-
-Note: during an integration with Heroku, for security reasons, it is impossible to maintain end-to-end encryption. In theory, this lets Infisical decrypt yor environment variables. In practice, we can assure you that this will never be done, and it allows us to protect your secrets from bad actors online. The core Infisical service will always stay end-to-end encrypted. With any questions, reach out [email protected].
-
-### Step 3: Start integration
-
-Once the integration is set up, choose a Heroku App that you want to sync the secrets to, and the Infisical project environment that you would to sync the secrets from. Click on the "Start Integration" button.
-
-### Step 4: You're good to go!
-
-The integration should now show status 'In Sync'. Every time you edit the secrets, they will be automatically pushed to Heroku. If you want to update anything in your integration, you will have to delete the current one and create a new one.
+Coming soon...
diff --git a/docs/integrations/docker.mdx b/docs/integrations/docker.mdx
@@ -2,7 +2,9 @@
 title: "Docker"
 ---
 
-### Step 1: Add CLI to your Dockerfile
+Prerequisite: [Infisical Token and How to Generate One](../../getting-started/dashboard/token).
+
+## Step 1: Add CLI to your Dockerfile
 
 <Tabs>
 	 <Tab title="Alpine">
@@ -29,32 +31,32 @@ title: "Docker"
    </Tab>
 </Tabs>
 
-### Step 2: Generate Infisical Token
-In order for Infisical CLI to authenticate and retrieve your project's secrets without exposing your login credentials, you must generate a Infisical Token.
-To learn how, visit [Infisical Token](../getting-started/cli/infisical-token). Once you have generated the token, keep it handy. 
+## Step 2: Generate Infisical Token
 
-### Step 3: Set start command of your container
-```dockerfile
-CMD ["infisical", "--env=<you-project-env-name>", "projectId=<your-project-id>", "run", "---", "<your application start command>"]
-```
+In order for the CLI to authenticate and retrieve your project's secrets without requiring your login credentials, you must [generate an Infisical Token](../../getting-started/dashboard/token); keep it handy.
+
+## Step 3: Set start command of your container
 
-Example 
 ```dockerfile
+CMD ["infisical", "--env=[your-project-env-name]", "projectId=[your-project-id]", "run", "---", "<your application start command>"]
+
+# example
 CMD ["infisical", "--env=prod", "projectId=62faf98ae0b05e83239b5da41", "run", "---", "npm run start"]
 ```
-| flag | Description                           | 
-| ------------ | ----------------------------------- | 
-| `--env`     | This is the environment name the CLI will use to pull secrets from your project.                    
-| `--projectId`      | This is the project id of the token you generated in step 2.                         | 
 
-To learn more about the flags used above, please visit our [CLI guide](../getting-started/cli/cli-guide)
+Required options:
+
+| Option        | Description                                                                                                 | Default value |
+| ------------- | ----------------------------------------------------------------------------------------------------------- | ------------- |
+| `--env`       | Used to set the environment that secrets are pulled from. Accepted values: `dev`, `staging`, `test`, `prod` | `dev`         |
+| `--projectId` | Used to link a local project to the platform                                                                | `None`        |
 
-### Last step: Tell Docker your Infisical Token
+## Step 4: Feed Docker your Infisical Token
 
-The Infisical CLI looks out for a environment variable called `INFISICAL_TOKEN`. To expose this environment variable to 
-your container do the following when running the `docker run` command. Remember, the `INFISICAL_TOKEN` is the token you generated in 
-step 2.
+The CLI looks out for an environment variable called the `INFISICAL_TOKEN` which you can set depending on where you run the CLI. If `INFISICAL_TOKEN` is detected by the CLI, it will authenticate and retrieve the environment variables which the token is authorized for.
 
 ```bash
  docker run --env INFISICAL_TOKEN=<the-token-you-got-from-step-2>...
-```
+```
+
+Note: `INFISICAL_TOKEN` is the token you generated in step 2.
diff --git a/docs/mint.json b/docs/mint.json
@@ -27,11 +27,6 @@
     "url": "https://infisical.com/signup"
   },
   "anchors": [
-    {
-      "name": "Security",
-      "icon": "shield-halved",
-      "url": "https://infisical.com/security"
-    },
     {
       "name": "Blog",
       "icon": "newspaper",
@@ -44,6 +39,15 @@
       "pages": [
         "getting-started/introduction",
         "getting-started/features",
+        {
+          "group": "Security",
+          "pages": [
+            "getting-started/security/overview",
+            "getting-started/security/data-model",
+            "getting-started/security/mechanics",
+            "getting-started/security/statement"
+          ]
+        },
         {
           "group": "Web UI",
           "pages": [

diff --git a/docs/self-hosting/configuration/envars.mdx b/docs/self-hosting/configuration/envars.mdx
@@ -21,10 +21,11 @@ Configuring Infisical requires setting some environment variables. There is a fi
 | `JWT_AUTH_LIFETIME`               | JWT token lifetime expressed in seconds or a string describing a time span (e.g. 60, "2 days", "10h", "7d") | `10d`            |
 | `EMAIL_TOKEN_LIFETIME`            | Email OTP/magic-link lifetime expressed in seconds                                                          | `86400`          |
 | `MONGO_URL`                       | ❗️ MongoDB instance connection string either to container instance or MongoDB Cloud                        | `None`           |
-| `MONGO_USERNAME`                  | MongoDB container username                                                                                  | `None`           |
-| `MONGO_PASSWORD`                  | MongoDB container password                                                                                  | `None`           |
+| `MONGO_INITDB_ROOT_USERNAME`      | MongoDB container username                                                                                  | `None`           |
+| `MONGO_INITDB_ROOT_PASSWORD`      | MongoDB container password                                                                                  | `None`           |
 | `ME_CONFIG_MONGODB_ADMINUSERNAME` | Same as `MONGO_USERNAME` for mongo-express in development                                                   | `None`           |
 | `ME_CONFIG_MONGODB_ADMINPASSWORD` | Same as `MONGO_PASSWORD` for mongo-express in development                                                   | `None`           |
+| `NODE_ENV`                        | ❗️ `production` or `development`                                                                           | `None`           |
 | `NEXT_PUBLIC_WEBSITE_URL`         | ❗️ Site URL - should be an absolute URL including the protocol (e.g. `https://infisical.com`)              | `None`           |
 | `SMT_HOST`                        | Whether the user joined the community                                                                       | `smtp.gmail.com` |
 | `SMTP_NAME`                       | ❗️ Whether the user joined the community                                                                   | `None`           |

diff --git a/docs/self-hosting/deployments/linux.mdx b/docs/self-hosting/deployments/linux.mdx
@@ -27,18 +27,17 @@ apt install docker-compose
 
 ```bash
 # Download env file template
-wget -O .env https://raw.githubusercontent.com/Infisical/infisical-merge/main/.env.example
+wget -O .env https://raw.githubusercontent.com/Infisical/infisical/main/.env.example
 
 # Download docker compose template
-wget -O docker-compose.yml https://raw.githubusercontent.com/Infisical/infisical-merge/main/docker-compose.yml
-wget -O docker-compose.yml https://raw.githubusercontent.com/Infisical/infisical-merge/main/docker-compose.prod.yml
+wget -O docker-compose.yml https://raw.githubusercontent.com/Infisical/infisical/main/docker-compose.yml
 
 # Download nginx config
-mkdir nginx && cd nginx && wget -O https://raw.githubusercontent.com/Infisical/infisical-merge/main/nginx/default.conf
+mkdir nginx && cd nginx && wget -O https://raw.githubusercontent.com/Infisical/infisical/main/nginx/default.conf
 cd ..
 ```
 
-3. Tweak the `.env` according to your preferences. Refer to the available [environment variables](envars).
+3. Tweak the `.env` according to your preferences. Refer to the available [environment variables](../../self-hosting/configuration/envars)
 
 ```bash
 # update environment variables like mongo login
@@ -49,7 +48,7 @@ nano .env
 
 ```bash
 # Start up services in detached mode
-docker-compose -f docker-compose.yaml -f docker-compose.prod.yml up -d
+docker-compose -f docker-compose.prod.yml up -d
 ```
 
-5. Your Infisical installation is complete. Please note that the containers are not exposed to the internet and only bind to the localhost. It's up to you to set up a firewall and implement any additional security measures.
+5. Your Infisical installation is complete and should be running on ports 40 and 443. Please note that the containers are not exposed to the internet and only bind to the localhost. It's up to you to configure a firewall, SSL certificates, and implement any additional security measures.
diff --git a/docs/self-hosting/overview.mdx b/docs/self-hosting/overview.mdx
@@ -1,6 +1,5 @@
 ---
 title: "Overview"
-description: "Options for hosting Infisical"
 ---
 
 <Info>