Key Management Issues
Secrets
Proper key management is critical. Hardcoded keys, weak key derivation, and insecure storage are common vulnerabilities that undermine otherwise strong encryption.
Finding Hardcoded Secrets
bash
# TruffleHog - Git history scanning
trufflehog git https://github.com/target/repo
# Gitleaks - Fast secret scanner
gitleaks detect --source=/path/to/repo -v
# grep patterns
grep -rn "api_key|apikey|secret|password|passwd" .
grep -rn "BEGIN RSA|BEGIN PRIVATE|BEGIN ENCRYPTED" .
# High entropy strings (possible keys)
grep -rE "[A-Za-z0-9+/]{32,}={0,2}" .
# AWS keys
grep -rE "AKIA[0-9A-Z]{16}" .
# Common secrets in config files
cat .env config.yaml secrets.json application.properties
# Semgrep rules for secrets
semgrep --config=p/secrets .Key Derivation Issues
python
# WEAK - Direct password use
key = password.encode()
# WEAK - Simple hash
key = hashlib.sha256(password.encode()).digest()
# WEAK - Few iterations
key = pbkdf2_hmac('sha256', password, salt, 1000)
# STRONG - Modern KDFs
from argon2 import PasswordHasher
ph = PasswordHasher()
hash = ph.hash(password)
# STRONG - bcrypt with good cost factor
import bcrypt
hash = bcrypt.hashpw(password, bcrypt.gensalt(rounds=12))
# STRONG - scrypt with proper params
from hashlib import scrypt
key = scrypt(password, salt=salt, n=2**14, r=8, p=1)Storage
Keys should be stored in HSMs, secret managers (Vault, AWS Secrets Manager),
or at minimum environment variables - never in source code or config files.