Closed the-smooth-operator closed 5 years ago
I have been looking at Blackbox developed by StackExchange. Basically it is a CLI tool that uses GPG for encrypting selected files. Seems to be simple and intuitive to use and it fits our needs.
I'm interested in knowing what do you think about it, from your perspective as a developer, administrator, security eng... @fiji-flo @ziegeer @andrewkrug @danielhartnell
I was leaning toward Credstash as I like the security of the KMS backend but I'm not sure what the development story is for that so other's experiences will be more important.
Things like transparent git diff
concern me as far as leaking secrets.
just as a note: we replaced credstash by directly using parameter store in AWS for CIS
IT-SRE has decided to use private git repos + git-crypt to store secrets. However this decision might be revisited in the future. For the moment I've created a new private repo, added all the GPG keys of the IT-SRE team members, and encrypted the few secrets we have. Calling this one done
Another note: we're probably going to replace parameter store by aws secrets now that its a thing, mainly because of threshold/rate limits. Note that it helps you directly, but in case someone read this issue someday :)
@gdestuynder thanks for your input. We were also thinking about using AWS secrets, and most likely we will revisit this in few months. I'll come back to you for guidance ;)
Currently Kubernetes secrets are not version controlled and managed manually. As we are moving the cluster to a more production ready state, this issue has to be tackled. Let's keep the discussion about possible solutions in this thread.