Skip to main content

Locksmith

Product Summary

Locksmith is a secret management application that securely automates the rotation of expiring certificates, secrets and keys across multiple systems. After deploying and supporting many complex identity and access management solutions for customers, one of the most common cases of downtime that we see are expired secrets. Locksmith was built to help automate this process, preventing downtime while also increasing security.

The use cases that Locksmith seeks to solve are:

  • Notifying of a secret expiring soon
  • Automatically rotating secrets in Azure AD app registrations.
  • Automatically rotating Apple tokens required for federation.
  • Rotating a secret in a dependant system after the actual secret has been rotated.
  • Visualize mappings of secrets to their various source and dependant systems

Security Considerations

Being a system that touches very sensitive information, Locksmith provides the following guaruntees:

  1. Secrets are never stored directly in the application database. Instead, they use a store, which is Azure Key Vault at the moment. Support for additional services as stores are possible in the future.
  2. The app is Azure cloud-native and uses Managed Identity as much as possible to prevent Locksmith's own dependencies from being taken down by yet another expiring secret.
  3. Secrets are never directly logged when being entered or rotated
  4. Authentication is enabled by default and cannot be disabled. It is recommended to restrict users allowed to use Locksmith by using the user assignment feature in the "Enterprise Apps" section after registration.

Usage

Locksmith has a couple of key terms:

Stores Where the actual secret - be it a string, certificate or managed key is stored. Currently this is Azure Key Vault, but could represent any generic secret store.

Providers The source of the secret. For example, an Azure AD app registration's client secret or an Apple certificate configuration.

Secrets These reference a Key Vault URL that stores the acutal secret, certificate or key. They are typically from a provider, but they can exist independant of one and be used for notifications only

Receivers An additional service to update when a secret gets rotated. For example, an Azure AD B2C policy key or Entra ID federation secret.

Credentials The identity that Locksmith uses to connect to external services like Azure Key Vaults, Providers and Receivers.

The easiest way to familiarize yourself with possible configurations and usage is through some real-life examples:

Setup

Adding a store

TODO

Adding a provider

TODO

Entra ID Apple

Adding a receiver

TODO

Examples

Externally-tracked secret

The simplest use case is where you have a secret that you've been tracking somewhere (OneNote, Notepad, a sticker on your monitor...etc) and are tired of setting calendar notifications for their rotation. Instead, you can use Locksmith to remind you when to rotate them.

  1. Create and connect your store
  2. Manually navigate to your store
  3. Add the secret
  4. Set the expiration date on the secret you're tracking manually
  5. Navigate to the "secrets" page and enable notifications on that secret

You'll now receive notifications when the secret is close to expiration, or expired. Note that you'll also need to manually update the expiration and secret contents after your rotate it yourself.

Apple Federation

Imagine that you have "sign in with Apple" configured in your identity provider. Since the secret must be generated and expires frequently, it's a good idea to automate this system to keep it secure and prevent it from being taken down. The rough steps you would follow are:

  1. Creating a store if you don't already have one
  2. Adding the store to Locksmith
  3. Create a provider of type "Apple" with information like your Team ID
  4. Upload the certificate to the store via Locksmith
  5. Link the secret to a receiver like Entra ID or Azure AD B2C

On a configurable, recurring interval, Locksmith will scan the store for expiring secrets. If the generated token is close to expiration, it will use the certificate to generate a new one and update all linked receivers, and send a notification to the configured emails.

Entra App Registrations

In some cases, services like Azure DevOps create app registrations in Entra ID that have secrets that will expire. In the case of Azure DevOps, it will pick up an updated secret after it's been rotated and the service connection has been saved again.

  1. Add a provider to connect your Entra ID tenant