1. 21

Our team is currently looking to revamp the way we are managing our secrets: passwords, keys, certs, etc. We’re running Openstack under different services orchestrated by SaltStack. We intend to look into these technologies seem to address the problem:

What do you and your teams use to protect and distribute your secrets? Has anything worked well or conversely disastrously for you?


  2. 6

    Like I’m gonna tell you!

    (More seriously: I haven’t had to deal with this problem in a long time, but have heard good things about Vault.)

    1. 5

      Between team members we sometimes share secrets via keybase.io encrypted messages.

      Most of our secrets we keep in text files on various remote servers (which sucks, don’t do this), but we are working towards a Vault system.

      One of our ultra secure projects keeps its secrets in a custom-built thing based on Parliament which itself is based on Shamir’s Secret Sharing algorithm. I -really- would like to open source that at some point, but in fairness it is a hassle and beyond what I think is reasonable for most use cases. Think of it like having to turn multiple keys (in the physical sense) at the same time to unlock something.

      Also we do other things… which is a secret (who doesn’t use security through obscurity as some layer somewhere? haha)

      1. 2

        I’ve also found keybase.io to be pretty useful, especially with technical 3rd parties.

      2. 4

        First, some context: We’re a consulting company, so we don’t have one app/suite to run…. we have many that are run at different clients, each of whom have very different preferences. And they actually shouldn’t share secrets with each other, in general.

        So, with that said, we use 1Password for Teams. It’s strictly a non-automated secret sharing mechanism. That is, servers wouldn’t be able to use it, only users. It’s also not cheap, but I really like it.

        That’s my experience. I have researched the “servers sharing secrets” problem a bit, and I’ve decided that we’d go with Vault if we ever need it… but we’re not there right now. Also, I have no experience to share with it, so take such a recommendation with a gigantic grain of salt.

        1. 4

          Most of the answers seem to be about personal secret management, rather than server secret management.

          I work at Square, so naturally we use KeyWhiz :-) One nice property of KeyWhiz is that the secrets mount with FUSE and look just like files, so in our local dev environments, we can easily set up dev secrets in the same location using real files.

          1. 3

            For most “human” secrets, such as 3rd party site credentials, repo signing keys, etc. We use 1Password for Teams.

            For application secrets, such as an applications db credentials, we store encrypted secrets inside of Hashicorp’s Consul, which the applications fetch and decrypt with a simple library. Keys are pushed via chef encrypted databags (for now). We are more than likely going to swap this out for Hashicorp’s Vault in the mid-future.

            For larger secrets or application secrets that need to be handed between one human to another without needing to be stored we use good old GPG.

            1. 2

              gpg encryption for personal stuff, ansible vault (AES) for production secrets

              1. 2

                Native unix pass and gpgtools

                1. 1

                  Personally, I just Keychain for iOS and OS X. It takes very little setup, it’s definitely secure enough for my personal use case, and it Just Works. Generating and storing random passwords across all my iDevices couldn’t really be easier.

                  1. 1

                    For passwords, my company uses Team Password Manager (http://teampasswordmanager.com/?o=FOOTER). It’s not free (there is a free trial available), but it works well in environments where people are joining and leaving projects often, and I trust that it’s secure.

                    1. 1

                      We check in a gpg-encrypted yaml file into our hg and git repos and we exchange passwords and decryption keys with each other over OTR jabber.

                      1. 1

                        Do you have policies in place for rotation when a team member leaves?

                      2. 1

                        I liked Keywiz when I examined it. If you are willing to invest time and build a solid infrastructure, I think it’s the best in play now.

                        1. 1

                          Is this in comparison to other solutions like Vault?

                          1. 1

                            Vault, Confidant, and Roll-your-own.

                            I’ve intensely investigated Confidant, and it works well, if your operation looks like Lyft enough. It didn’t quite. :-) It will work well if you’ve bought into the AWS Way enough (and you look Lyft'y enough).

                            Vault seems to smell a bit strongly of Hashicorp, which is a good system IMO, but I think you really need to buy into the Hashicorp Way to use it.

                            Keywhiz seems to be the most agnostic out there, with solid open source primitives. So I like it. The downside is you really need to be running your own CA / PKI for Keywhiz.

                        2. 1

                          Work are using and contributing to https://github.com/tildaslash/RatticWeb