Cfrgtkky

We have code (in git) together with configuration/deployment/build scripts (fabfile.py, circle.yml, Dockerfile etc) which result in a pretty seamless automatic build/deploy process. The one part which is not seamless is where to store credentials of various kinds. These are things like ssh keys, code signing certificates, aws access keys, ssl certificates... Currently the process is to copy the needed keys/certs from a flash drive and then (eg) run fabric.

It seems like storing credentials like this in git (alongside code) is not the best place, but what is the best place? Is there a recommended best practice for where to store information like this for devops? Is there a reference that discusses different options with their pros and cons?

The problem of secrets management is still something that hasn't exactly been "solved" by the use of any tool.

You can use any of the various Secrets Management Tools (each offers different types of benefits / integrations).

I personally prefer Hashicorp Vault. Cyberark is another good one.

The way you use these tools in your solution however, there are some common use patterns.

1) You can store your secrets in code in your SCM IF they are encrypted... But this still results in the same problem, you still need to deliver a secret securely at deploy time (or have it available at startup) to be able to decrypt the secrets (password, credentials, secrets, certs) that have been deployed. That is where the Secrets Management Tool (such a Vault) comes in. The tool will allow you to securely retrieve your secret for use in decryption of the secrets when it's needed.

2) The other way as mentioned above is. Is to actually store all secrets, certs etc. outside of the SCM in the Secret Management Tool itself and retrieve them at deploy / startup time.

Obviously there are pros and cons to doing things either way. i.e. the first approach reduces complexity as you only manage one or two secrets at any given time. On the other hand, if you store all secrets in a vault, the potential for compromises associated with your entire ecosystem is reduced, as access to a single secret doesn't allow someone access to every other secret.

At the end of the day it all comes down to your use case / the security constructs available and of course the people you are surrounded with. Because at the end of the day, someone, somewhere needs to know a secret...

Yes. There is a recommendation. It is the usage of Cloud Vault. Take a look on some good examples:

https://www.hashicorp.com/blog/vault.html

https://blog.keepersecurity.com/2016/08/16/keeper-for-devops-more-than-just-passwords/

It's a kind of best practice to use a proper Security when it comes to credentials. As it can lead to Web Hack and other potential loss to the company.

Best way to do it to use Kind of Vault.

• https://www.vaultproject.io/


• https://docs.ansible.com/ansible/2.4/vault.html


• AWS KMS