Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Ask HN: What's the best way to share application secrets in 2019?
1 point by SamuelAdams on June 11, 2019 | hide | past | favorite
Some context: we have about 30 devs in our org, and each team has between 3 - 5 devs.

Each system has a handful of keys associated with it: API keys, FTP logins, etc. These are encrypted with another key (let's call this the APP_ENCRYPTION_KEY) which is stored in the Environment Variables for the current system. Each application has a unique APP_ENCRYPTION_KEY.

So now I've got at least a dozen (and growing) different keys to manage. Thing is, not all developers need access to all APP_ENCRYPTION_KEY's.

My plan was to create separate BitBucket repositories (internal to our organization) and divvy up access to those repositories based on a role. So if you are in DevTeam A, you get access to KeyRepoA, DevTeam B gets access to KeyRepoB, so on and so forth. New keys are added to a powershell script, then you simply run that script against your dev box / the servers to add the environment variables.

However, I'm not sure if BitBucket is a trusted source. It feels like we are just moving the problem from the appsettings.json file to another source.

Is there a better approach for small teams / orgs?



Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: