Secrets
Secrets in System Initiative represent any confidential data, such as login information, API tokens, passwords, etc.
They are end-to-end encrypted, both within the application, on the wire, and at rest.
Encryption Strategy
System Initiative is a multi-tenant system, starting with an 'installation' of System Initiative. For most people, this means our SaaS platform - but it can also mean a local development instance, a BYOC instance, or a custom installation. Each installation of System Initiative generates an Ed25519 Public Key Pair for the installation. This is the cluster key.
Each workspace generates an Ed25519 Public Key Pair specific to it. The private side of the key is encrypted with the cluster key, which ensures that is encrypted at rest (even if the database is compromised and dumped in plain text). It cannot be retrieved without the corresponding cluster key. This is the workspace key.
When a secret is put into System Initiative, it is first encrypted with the public workspace key for the workspace it is destined for. This ensures that your secret is also encrypted at rest, and cannot be retrieved without the corresponding cluster key and workspace key.
When one of your secrets is needed, we decrypt it and inject it into the micro-vm assigned to your function.
Redaction
Should the secret appear in any logs or output, it will be automatically redacted. System Initiative will not leak your secrets.
WARNING
No programmable system is perfectly secure against secret ex-filtration. You must still trust the underlying function code that your secret is being used by.
All "built in" schemas provided by System Initiative have been vetted for ex-filtration risk.
Creating a Secret
Creating a secret is identical to creating any other component. Press the C
hotkey or click the 'Add Component' button, from the Grid or Map views. Search for the name of your secret, press enter, and add the secret information to the components attributes.
The information inside the secret section will be encrypted when the 'Add Secret' button is pressed.
INFO
Most things in System Initiative can be done from the Web Application, AI Agent, or the Public API. Creating secrets can only be done through the Web Application and the Public API, as we believe it is fundamentally insecure to feed secrets to an LLM.
Subscribe to a Secret
To use a secret, you subscribe to the secret value from the component that needs it.
> Create a AWS VPC using the My AWS Credential secret
● VPC created successfully in the "create-vpc" change set with:
- CIDR Block: 10.0.0.0/16
- Region: us-west-1
- Credential: My AWS Credential
You can now apply this change set to create the VPC in AWS, or
make additional changes first.
Reference the name of the specific credential you want to subscribe to in the prompt.
Updating a Secret
First navigate to the component, and click on the secret you want to update:
Then update the secret information:
TIP
Note that existing secret data is not present in the form! Once a secret has been encrypted and stored, it cannot be retrieved by anything other than a function execution.
Delete a Secret
You can delete (or erase) secrets like like components.
TIP
When a secret is deleted, it cannot be recovered, even from within a change set.
Reference the name of the specific secret you want to delete or erase in the prompt.
> Delete the My AWS Credential secret
● The "My AWS Credential" secret has been deleted