How to manage secrets
So you start a great new project and credentials are being requested by various team members and keep flying around on Slack as an open unencrypted text? A forgotten password is used from time to time and then more passwords need to be requested. Doesn't it feel right and effective ?
Use the right tools
Every project has its secrets like credentials to the different services or server access details.
Keeping that information safe and easily accessible by the team members and automation tools is a complex task to manage.
There are many tools that can help manage secrets both on a personal and organizational level.
There are cases when secrets need to be accessed by automated processes such as deployments or chat bots.
It is an open-source, API-first, highly secure secret management solution with a nice web UI and a command line tool.
As a state-of-the-art solution it incorporates the following:
- nobody knows your access token, not even the person who granted it to you,
- the vault can be sealed and unsealed with a given policy, for example using 3 out of 5 keys that are given to key employees,
- tokens expire and are rotated as a passive security measure to limit leakage.
- expiring access tokens
- full API coverage
- command line tool
- wrapping secrets for one-time access
Alternatively 1password recently announced their new service - secrets automation and Hashicorp opened access to an enterprise solution - Vault in the cloud.
It is nice if you would like to avoid the hassle of servers administration.
- autocomplete in the browser
- synchronization across many devices
- storage encryption
- easily generate passwords matching a given policy
- desktop apps and a browser extension
There's an awesome feature that helps testing ecommerce website: identities. It is a set of values for checkout fields like address and personal data that can be used to automatically populate the checkout form fields.
In the same way different test credit cards can be stored and used with one click.
How the 1password desktop app looks:
There's often a need to share a particular secret outside the organization with a customer or a third party. It is important to make sure the secret stays safe during transport and it is not accessible, for example in the chat history.
Vault can create a special link that can be opened only once and expires automatically after a given time. It is called secret wrapping with editable time to live.
More advanced use cases
Imagine one of the developers leaving a project - that involves chasing his ssh key on all the serves to revoke the access.
This can be automated as well with Vault being used as a SSH signer.
Contact with: Michał