adelorenzo/talk2me
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
77f31cd694
talk2me/SECURITY.md
Adolfo Delorenzo 9170198c6c Add comprehensive secrets management system for secure configuration 
- Implement encrypted secrets storage with AES-128 encryption
- Add secret rotation capabilities with scheduling
- Implement comprehensive audit logging for all secret operations
- Create centralized configuration management system
- Add CLI tool for interactive secret management
- Integrate secrets with Flask configuration
- Support environment-specific configurations
- Add integrity verification for stored secrets
- Implement secure key derivation with PBKDF2

Features:
- Encrypted storage in .secrets.json
- Master key protection with file permissions
- Automatic secret rotation scheduling
- Audit trail for compliance
- Migration from environment variables
- Flask CLI integration
- Validation and sanitization

Security improvements:
- No more hardcoded secrets in configuration
- Encrypted storage at rest
- Secure key management
- Access control via authentication
- Comprehensive audit logging
- Integrity verification

CLI commands:
- manage_secrets.py init - Initialize secrets
- manage_secrets.py set/get/delete - Manage secrets
- manage_secrets.py rotate - Rotate secrets
- manage_secrets.py audit - View audit logs
- manage_secrets.py verify - Check integrity

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-06-03 00:24:03 -06:00

173 lines
4.1 KiB
Markdown
Raw Blame History

# Security Configuration Guide
This document outlines security best practices for deploying Talk2Me.
## Secrets Management
Talk2Me includes a comprehensive secrets management system with encryption, rotation, and audit logging.
### Quick Start
```bash
# Initialize secrets management
python manage_secrets.py init
# Set a secret
python manage_secrets.py set TTS_API_KEY
# List secrets
python manage_secrets.py list
# Rotate secrets
python manage_secrets.py rotate ADMIN_TOKEN
```
See [SECRETS_MANAGEMENT.md](SECRETS_MANAGEMENT.md) for detailed documentation.
## Environment Variables
**NEVER commit sensitive information like API keys, passwords, or secrets to version control.**
### Required Security Configuration
1. **TTS_API_KEY**
- Required for TTS server authentication
- Set via environment variable: `export TTS_API_KEY="your-api-key"`
- Or use a `.env` file (see `.env.example`)
2. **SECRET_KEY**
- Required for Flask session security
- Generate a secure key: `python -c "import secrets; print(secrets.token_hex(32))"`
- Set via: `export SECRET_KEY="your-generated-key"`
3. **ADMIN_TOKEN**
- Required for admin endpoints
- Generate a secure token: `python -c "import secrets; print(secrets.token_urlsafe(32))"`
- Set via: `export ADMIN_TOKEN="your-admin-token"`
### Using a .env File (Recommended)
1. Copy the example file:
```bash
cp .env.example .env
```
2. Edit `.env` with your actual values:
```bash
nano .env # or your preferred editor
```
3. Load environment variables:
```bash
# Using python-dotenv (add to requirements.txt)
pip install python-dotenv
# Or source manually
source .env
```
### Python-dotenv Integration
To automatically load `.env` files, add this to the top of `app.py`:
```python
from dotenv import load_dotenv
load_dotenv() # Load .env file if it exists
```
### Production Deployment
For production deployments:
1. **Use a secrets management service**:
- AWS Secrets Manager
- HashiCorp Vault
- Azure Key Vault
- Google Secret Manager
2. **Set environment variables securely**:
- Use your platform's environment configuration
- Never expose secrets in logs or error messages
- Rotate keys regularly
3. **Additional security measures**:
- Use HTTPS only
- Enable CORS restrictions
- Implement rate limiting
- Monitor for suspicious activity
### Docker Deployment
When using Docker:
```dockerfile
# Use build arguments for non-sensitive config
ARG TTS_SERVER_URL=http://localhost:5050/v1/audio/speech
# Use runtime environment for secrets
ENV TTS_API_KEY=""
```
Run with:
```bash
docker run -e TTS_API_KEY="your-key" -e SECRET_KEY="your-secret" talk2me
```
### Kubernetes Deployment
Use Kubernetes secrets:
```yaml
apiVersion: v1
kind: Secret
metadata:
name: talk2me-secrets
type: Opaque
stringData:
tts-api-key: "your-api-key"
flask-secret-key: "your-secret-key"
admin-token: "your-admin-token"
```
### Rate Limiting
Talk2Me implements comprehensive rate limiting to prevent abuse:
1. **Per-Endpoint Limits**:
- Transcription: 10/min, 100/hour
- Translation: 20/min, 300/hour
- TTS: 15/min, 200/hour
2. **Global Limits**:
- 1,000 requests/minute total
- 50 concurrent requests maximum
3. **Automatic Protection**:
- IP blocking for excessive requests
- Request size validation
- Burst control
See [RATE_LIMITING.md](RATE_LIMITING.md) for configuration details.
### Security Checklist
- [ ] All API keys removed from source code
- [ ] Environment variables configured
- [ ] `.env` file added to `.gitignore`
- [ ] Secrets rotated after any potential exposure
- [ ] HTTPS enabled in production
- [ ] CORS properly configured
- [ ] Rate limiting enabled and configured
- [ ] Admin endpoints protected with authentication
- [ ] Error messages don't expose sensitive info
- [ ] Logs sanitized of sensitive data
- [ ] Request size limits enforced
- [ ] IP blocking configured for abuse prevention
### Reporting Security Issues
If you discover a security vulnerability, please report it to:
- Create a private security advisory on GitHub
- Or email: security@yourdomain.com
Do not create public issues for security vulnerabilities.
Reference in New Issue View Git Blame Copy Permalink