
Ask HN: Keeping secrets out of public repos - cryptography
How do you prevent API keys, passwords, private key files, etc.. from getting accidentally uploaded to Github&#x2F;Gitlab&#x2F;Bitbucket? Is it OK to store them in private repos?
======
LinuxBender
In my opinion, never put secrets anywhere near a code repo to begin with. Put
them in something like Vault.

Also in my opinion, for your own dev work, source a file well outside of
anywhere your code might live that has name=value pairs. Give the file name
something highly obscene, long and upper-case that would be obvious if you
contemplating committing it.

See if your git repo has a policy against a certain file name and use that.
People will do what people can do and mistakes happen. :-)

------
slow_donkey
We store our secrets in a key vault exposed as environment variables and store
vault credentials as Kubernetes secrets which are also exposed as env vars.

The easy method is to use something like dotenv or a separate config file
under gitignore.

------
ecesena
Not a good idea imo, because as your team grows, code is code and people will
forget. Easier to use a vault, i.e. an external service where you store any
secret, and from code you only load secrets from the vault.

We use knox [1], but there are other popular ones.

Edit: typos

[1] [https://github.com/pinterest/knox](https://github.com/pinterest/knox)

~~~
PerfectElement
This may be a stupid question, but don't you also need credentials to access a
vault?

------
atmosx
Been there, done that. If you want to be secure, you need to enforce key
rotation within a _secure timeframe_ , whatever that means in your threat
model use vault, kms or something similar to automatically rotate secrets.
Then, leaking credentials will be inconsequential.

------
savethefuture
One solution is to use environment variables.

~~~
cryptography
That's the solution that I adhere to. But on a team with several devs, how do
you prevent that from happening? Or how do you prevent yourself from
accidentally(!) doing so (i.e. during the late-night coding sessions)?

~~~
savethefuture
review review review review review always review your code before a commit to
master

------
cimmanom
.gitignore helps

~~~
cryptography
What about API_KEY='42..' in a config file that contains project-wide
configuration?

~~~
cimmanom
You split your config into separate files for sensitive and non-sensitive
values.

