Managing Shared Secrets with basic unix tools
People did a great job in making our deployments secure.
We already use automated and secured build pipelines and our Clusters and VMs are locked in.
But there is another integral part which often does not get the appropriate attention: the local developer workflow.
Whenever we integrate with 3rd Party APIs or multiple services, credentials of any form are necessary. Surely saving these passwords in plaintext inside a github repository won’t fit the purpose. But would an on premise hosted wiki be safe enough? Or passing around a sticky note with a handwritten password on it?
Any secret that’s ever written to disk or on paper is another attack vector in the pipeline. Not just on production servers or continuous integration, but also in the developer workflow.
If your unencrypted laptop gets stolen or your private source code repository appears to be not so private after all, you’d hope your project’s secrets wouldn’t be compromised.
In this practice oriented talk I will show the way we approached this challenge in a several world projects, using a few simple and automation friendly standard unix tools.