top | item 33887083

(no title)

ajvpot | 3 years ago

Have you considered adding some kind of encryption of the secrets with a preshared key generated inside the action to make the SaaS zero-knowledge? Currently it appears the service can read all the secrets in plaintext.

discuss

thewataccount|3 years ago

This is tangential to your comment and not a complaint - That isn't zero-knowledge that is end-to-end encryption.

I've been noticing a lot of marketing materials describe themselves as "zero-knowledge" when it's just E2EE.

I definitely agree it would be nice to have.

varunsharma07|3 years ago

Added an issue to track this: https://github.com/step-security/wait-for-secrets/issues/56

The backend API is open-source, and the secrets are cleared immediately after use from the data store, but I agree this is a good idea.