

Ask HN: How do you manage server side credentials?  - reinhardt

At work we maintain passwords, keys and secrets for a few dozens internal and 3rd party services such as S3, Sendgrid, Xero and more. For most services we actually have at least two accounts, one being used exclusively on production. So far we have been been storing most credentials in plain text config files under version control but we are looking for something more secure in case the source code is compromised. Any suggestions?
======
donavanm
Assuming its just data at rest? Use gpg. Encrypt your plaintext with all of
the authorized users public keys. When someone joins few crypt with the new
persons key. When they leave rotate creds and rencrypt minus their key. Keep
the cipher text in VCS so you have change history and a light audit trail.

This method is very maintainable for a dozen or two users. I've never looked,
but there's probably a management application built around this work flow as
well.

------
mathrawka
Storing in environment variables is a good practice.

Take a look at this: <http://www.12factor.net/config>

~~~
jawnb
One thing to be aware of when storing sensitive information in environment
variables, is that it is possible to view the environment variables a process
is using.

------
boolean
I would recommend LastPass Entreprise
(<https://lastpass.com/enterprise_overview.php>)

