How do you store your secrets?

Background

I am doubling a little bit as a DevOps in the company where I am now. Recently I showed them the 12 factor app standard, that specifies you should not have your ENV, config and passwords inside your git repository together with your project - you should store them in a safe place instead.

Research

After some research we came across Vault however our team manager now thinks this is quite overkill and will soon become a monster.

Torus seemed a good alternative but the install page doesn’t even work, will be payed and it looks like it only runs for Node.

I also read this discussion but there is no definitive answer:

Questions

  1. What tools do you use to store your secrets?
  2. How do you your apps access them?
2 Likes

Currently smaller projects get deployed via anisble, secrets stored in ansible-vault (which is not the same as hashicorp vault!). These get written to a file as environment variables (which the systemd unit reads) and then that’s restricted via file system permissions (only root and application user can read the file). It’s not perfect, but does give you good starting point before heading to things like hashicorp Vault imho

1 Like

Using ansible-vault is a good starting point, but if you have more than a few secrets, or need to generate things like certs for inter-service TLS, I’d recommend the investment in Hashicorp Vault. It really is invaluable, especially when coupled with something like envconsul.

If you stick with ansible-vault, I’ve found this to be helpful. Otherwise, it is easy to forget where vaulted vars are, and grep does you no good since they are encrypted at rest. Be sure to keep those refs close to where the actual vaulted vars are.

2 Likes

We run on Heroku so the 12 factor app approach has been working quite well

I don’t know why nobody ever seems to talk about it, but I use AWS Parameter Store.

Maybe I should write ablog post about it… `¯\(ツ)