If you are deploying application, at some point you have to:
- rebuild infrastructure
- change password
- share credentials
- revoke access
In any of those steps, there is a need to expose sensitive information to your deployment, so it can authenticate and access resources properly. We usually call those sensitive pieces of data a secret.
The secret is any non-public information you want to control and limit access to.
Most common used secrets when managing infrastructure are:
- passwords / PIN
- API keys / tokens
- SSH credentials
How can we protect those secret information, but at the same time make them available to a service or person with proper authorization?
Security control proposal
In complex environment, solution is to use secret management software accessible via network. Those solutions usually has multiple advantages:
- one place for secrets, hence projects are scalable
- ability to revoke access
- auditable activities
- security - data are usually encrypted at rest
Most common on-premise secret management solutions are:
Of course, for simple projects and small deployments, it’s possible to encrypt secret information in a git repository, however, this solution does not scale and is not future-proof, so we consider it out-of-scope.