Skip to main content

A GCP persistent disk is encrypted with a key specified in plain text

SeverityExploitabilityProvidersCategories
CRITICALHIGHGoogle Cloud ProviderDATA, SECRET

Description#

The value of a sensitive environment variable (encryption key) is defined in plaintext. It will be stored in the raw state as plain text, and in the code repository as well.

Impact#

Potential data exposureVisible in logsUser interaction requiredPrivileges required
TrueTrueFalseTrue

The data stored on the persistent disk could be accessed and decrypted by a malicious actor with access to the repository or the raw state.

Remediation guidelines#

The encryption key should be stored and accessed with a secret manager. The exposed encryption key should be rotated, and the content of the persistent disk should be re-encrypted with the newly generated encryption key.

References#