
Ask HN: Best way to manage API secrets and other secrets in teams - desmap
Searched a bit around but didn&#x27;t find a clear answer to this:<p>API and other secrets&#x2F;credentials shouldn&#x27;t be on source control and .gitignored. Still they need to be backed up, shared to team members, updated, etc.<p>What&#x27;s the best way to do this (just for server-side apps) without using any paid 3rd party product?
======
theamk
It depends greatly on how your server-side works. For example, if you are on
AWS, you can use KMS. If you run Kubernetes or Docker Swarm, they have their
own secret storage systems.

In the very small teams, you can do something as simple as Google Doc or Last
Pass shared notes, and install the keys manually as needed. In this case, your
code would be looking for secrets at a pre-defined location, like ~/.your-
company-name/secrets, and secrets would me manually copied there.

------
godot
As others mentioned, there's a variety of products to handle these by now for
corporations and startups.

I'm actually more interested in the same question but for personal projects
where you don't want to pay or pay no more than say $1/mo. Is there a solution
for that?

Maybe a hashicorp consul self-hosted? A lot of work to set up for personal
project but maybe worth it to do one time?

------
cabraca
you could take a look at hashicorp vault as a tool to deliver secrets to your
server side apps

for sharing secrets with your team i would go with password manager.
bitwarden.com if you are looking for a open source one.

------
wendelmaques
keybase.io with team chat, kbfs and encrypted git repos.

