A GCP persistent disk is encrypted with a key specified in plain text
| Severity | Exploitability | Providers | Categories |
|---|---|---|---|
| CRITICAL | HIGH | Google Cloud Provider | DATA, SECRET |
Description#
The value of a sensitive environment variable (encryption key) is defined in plaintext. It will be stored in the raw state as plain text, and in the code repository as well.
Impact#
| Potential data exposure | Visible in logs | User interaction required | Privileges required |
|---|---|---|---|
| True | True | False | True |
The data stored on the persistent disk could be accessed and decrypted by a malicious actor with access to the repository or the raw state.
Remediation guidelines#
The encryption key should be stored and accessed with a secret manager. The exposed encryption key should be rotated, and the content of the persistent disk should be re-encrypted with the newly generated encryption key.