How do we share secrets/accounts?

[mi-wood]

We should look into using a shared secret DB for some of our administrative keys. For accounts that allow multi-user access (ex. heroku) we should use that and make sure at least a few users have access to it. Otherwise, we should have somewhere to grab credentials from.

[juliofarah]

Hi there! Hope you're doing great.

Please, correct me if I got it wrong, but I don't believe you need a secret DB (if you're concerned only about sharing passwords and access keys - .pem files).

In my current project, we currently use git-crypt as a solution for sharing sensitive information such as passwords and access keys in a secure way. All the passwords are checked in with the code, but they're under a gpg encrypted directory.

Please, take a look at the documentation: https://github.com/AGWA/git-crypt

It basically consists in a trusted team member signing a gpg key to allow someone else to decrypt the files.

Hope it helps :)

[mi-wood]

Thanks @juliofarah! I'll take a look into when I get a chance!

[DeeDeeG]

There is something kinda similar to this in Rails 5.1, but I'm not sure if that covers the whole set of secrets/passwords you're referring to, @mi-wood.

http://edgeguides.rubyonrails.org/5_1_release_notes.html#encrypted-secrets

[DeeDeeG]

There's now an even newer way to do this in Rails 5.2. See: https://edgeguides.rubyonrails.org/5_2_release_notes.html#credentials

Also there is a guide explaining this new feature: https://edgeguides.rubyonrails.org/security.html#custom-credentials

[DeeDeeG]

Another way to do this is to just send them to each person via secure messaging. Things off the top of my head:

• https://signal.org/
• https://keybase.io

(If we want to be a bit more lax about security and opt for convenience, we could just send them over private messaging, whether it be on Slack, facebook, twitter, etc. I feel like we are not a big target for being hacked, realistically. But the "secure" options here seem somehow more diligent and purpose-appropriate choices for sharing secret info.)

In any case, I think we need a secure (or at very least private or one-to-one) messaging service to deliver the decryption key if we use one of the "store the keys, encrypted, in plain sight in your repo" approaches. So we will need private/secure messaging to do any suggestion given so far in this issues thread. Edit: or sign everyone up with a Gnu Privacy Guard (gpg) identity, as one option for the git-crypt solution mentioned above.

[mi-wood]

An FYI on this, since I did this. I have a family plan for 1password and shared a vault with @tkwidmer. This should suffice for the time being. I think they recently introduced some sort of plan for nonprofits/charities, so if we ever need to upgrade we can look into that.

[DeeDeeG]

Relatedly, we could set up a "Heroku Team" to share access to the Heroku instance, if need be. Seems very similar to "Organizations" here on GitHub.

[mi-wood]

@DeeDeeG We're using this currently. The transition is what deleted the DB awhile back 😬

[DeeDeeG]

If GitHub had a shocked/horrified emoji reaction, this would be the time I'd press it.

Welp.