How to manage secrets

Use the right tools

Every project has its secrets like credentials to the different services or server access details.

Keeping that information safe and easily accessible by the team members and automation tools is a complex task to manage.

There are many tools that can help manage secrets both on a personal and organizational level.

Automation

There are cases when secrets need to be accessed by automated processes such as deployments or chat bots.

For our Hatimeria automation toolkit aka hat we use Vault, self-hosted on AWS.

It is an open-source, API-first, highly secure secret management solution with a nice web UI and a command line tool.

As a state-of-the-art solution it incorporates the following:

• nobody knows your access token, not even the person who granted it to you,
• the vault can be sealed and unsealed with a given policy, for example using 3 out of 5 keys that are given to key employees,
• tokens expire and are rotated as a passive security measure to limit leakage.

Key features:

• expiring access tokens
• full API coverage
• command line tool
• wrapping secrets for one-time access

Alternatively 1password recently announced their new service - secrets automation and Hashicorp opened access to an enterprise solution - Vault in the cloud.

It is nice if you would like to avoid the hassle of servers administration.

Personal use

Our pick for personal use is the industry-leading paid solution: 1password and its free alternative Keepass.

Key features:

• autocomplete in the browser
• synchronization across many devices
• storage encryption
• easily generate passwords matching a given policy
• desktop apps and a browser extension

There's an awesome feature that helps testing ecommerce website: identities. It is a set of values for checkout fields like address and personal data that can be used to automatically populate the checkout form fields.

In the same way different test credit cards can be stored and used with one click.

How the 1password desktop app looks:

One-time sharing

There's often a need to share a particular secret outside the organization with a customer or a third party. It is important to make sure the secret stays safe during transport and it is not accessible, for example in the chat history.

Vault can create a special link that can be opened only once and expires automatically after a given time. It is called secret wrapping with editable time to live.

More advanced use cases

Imagine one of the developers leaving a project - that involves chasing his ssh key on all the serves to revoke the access.

This can be automated as well with Vault being used as a SSH signer.