How do you store your secrets?

Background

I am doubling a little bit as a DevOps in the company where I am now. Recently I showed them the 12 factor app standard, that specifies you should not have your ENV, config and passwords inside your git repository together with your project - you should store them in a safe place instead.

Research

After some research we came across Vault however our team manager now thinks this is quite overkill and will soon become a monster.

Torus seemed a good alternative but the install page doesn’t even work, will be payed and it looks like it only runs for Node.

I also read this discussion but there is no definitive answer:

• Storing config secrets securely

Questions

1. What tools do you use to store your secrets?
2. How do you your apps access them?

Currently smaller projects get deployed via anisble, secrets stored in ansible-vault (which is not the same as hashicorp vault!). These get written to a file as environment variables (which the systemd unit reads) and then that’s restricted via file system permissions (only root and application user can read the file). It’s not perfect, but does give you good starting point before heading to things like hashicorp Vault imho

Using ansible-vault is a good starting point, but if you have more than a few secrets, or need to generate things like certs for inter-service TLS, I’d recommend the investment in Hashicorp Vault. It really is invaluable, especially when coupled with something like envconsul.

If you stick with ansible-vault, I’ve found this to be helpful. Otherwise, it is easy to forget where vaulted vars are, and grep does you no good since they are encrypted at rest. Be sure to keep those refs close to where the actual vaulted vars are.

We run on Heroku so the 12 factor app approach has been working quite well

I don’t know why nobody ever seems to talk about it, but I use AWS Parameter Store.

Maybe I should write ablog post about it… `¯\(ツ)/¯

But this can be used in the context of AWS only? Correct? Cannot be used for applications hosted at other cloud providers?

Any updates on the topic, what is the best way to store secrets e.g. encryption keys for Elixir applications?

Secrex — Secrex v0.3.0 is one option.

Hush supports AWS, GCP and local env variables in a pluggable manner with the option to extend with custom providers too.

On some projects I use GitHub - Adzz/gcp_secret_provider: A configuration provider that pulls secrets from GCPs Secret Manager on App boot. which is a config provider that reads in secrets when the app starts.

Generally reading in the secret from Google Secret Manager (on GCP) when the app starts has been working well for me.

Mozilla Sops is a nice tool. Encrypted secrets stored in YAML/JSON, keys in plaintext, values encrypted with one or more of AWS KMS, GCP KMS, Azure Key Vault, PGP. Encrypted datafile can be checked into the repo. Supports diffing.

I currently run Metamorphic with Render, similar to Heroku, so the 12 factor method also works really well. Render also allows you to have environment groups and files in addition to your environment variables.

That can be incredibly nice for organization and quickly scoping secrets across services.

Secret managements refers the tools and method for managing digital authentication secrets including passwords, keys and tokens.