Shared password management @ OCF

[fydai]

Exported from https://ocf.io/rt/6486

[cg505]

Most password managers would also allow us to store TOTP 2fa, which would allow us to enable 2fa on our external accounts

[ethanhs]

Yeah I think a shared password manager would make a lot of sense.

Perhaps we should think about what features we want from it? And any bonuses e.g. yubikey support.

[cg505]

Discussion on IRC today: https://irclogs.ocf.berkeley.edu/rebuild/2020-04-22#1587611344-1587612444;. excerpt with VPN discussion trimmed.

20:09 \ bitwarden_rs maybe 20:10 \ well what's the risk of hosting an open bitwarden server 20:10 \ bitwarden is probably fine, bitwarden_rs isn't audited 20:11 \ maybe that's a reason not to use it at all lol 20:11 \ like, the ocf doesn't really have solid security practices. we don't have the ability to be responsible stewards of really sensitive data 20:11 \ bitwarden is fully encrypted so i guess it's kind of ok. but that's why i asked what the risks are 20:12 \ bitwarden for infra passwords? 20:12 \ I hear there's a text file 20:12 \ oh uhh 20:12 \ i see what you mean 20:14 \ i'm not familiar with that kind of bitwarden deployment. it could be reasonable. anything over http can be secured with keycloak though, so i don't think you'd need a VPN 20:15 \ i always thought bitwarden was intended for personal use, not for sharing passwords between a team 20:15 \ Bitwarden definitely has team support 20:15 \ i see a bunch of alternatives by googling "team password sharing selfhosted" 20:16 \ i would pick one that supports authentication via reverse proxy. then we can use keycloak and be reasonably satisfied about its security 20:17 \ i'd also add that we don't really care about encryption, which i thought was bitwarden's whole thing? 20:20 \ (should also pick one that stores its data in a simple format so it can be accessed or backed up to be used with our infra is unavailable) 20:21 \ dkessler: bitwarden supports exports, also when you use a local client it syncs so that if your remote server goes down you still have everything from the last sync 20:27 \ use hashicorp vault /s 20:27 \ someone suggested that in the k8s interest meeting