How we save the secrets

The security model of Silent Data [Oracle] is mostly focused on keeping the API secrets used in the Jobs secure and only available to the users and the enclaves. When a user is editing a job configuration the secrets are only in the temporary state of the frontend application and would be lost on a refresh. When a draft is saved or a job is published the secrets will be encrypted using a symmetric key derived from an ephemeral private key generated in the frontend code and the persistent public key of the enclave. The encryption process includes a hash of the job configuration as the Additional Authenticated Data (AAD) so that the secrets can only be decrypted and used for that job. The encrypted secrets and corresponding ephemeral frontend public key are stored in the database.

When the users open a job configuration in draft status with secrets, they will be prompted to enter their password. The password will be used to derive an encryption key which will encrypt the secrets and store them in the browser's local storage. When the user returns to the draft they will be prompted to enter their password if there are encrypted secrets present in the browser's local storage, the encryption key will be rederived and the secrets will be decrypted and stored in the temporary frontend state. If a user changes the job configuration, the encrypted secrets stored in the database will no longer be valid as the AAD will have changed. In this case, the secrets will be replaced by the values in a temporary state and re-encrypted with the new AAD when the draft is saved or published.

If a user accesses the draft from a different browser or a different machine the encrypted local storage will not be present and the user will need to re-enter any values for the secrets. The password-encrypted secrets are only stored locally and not sent to the database because the entropy of the password could be weak, so the encryption cannot be guaranteed to be strong. The password encryption and local storage is a compromise between user experience and security. The user can opt not to store their secrets locally at all and re-enter them each time if they choose.