What technologies, protocols, and processes do you use to pass around private keys? I find some of the more secure practices involve extra steps that makes it tempting for folks to bypass them for expediency. I am wondering you folks do and if you recommend it.
For further actions, you may consider blocking this person and/or reporting abuse
Oldest comments (19)
One of my previous companies used Cryptocat exclusively for this. :)
So typically people would interact on a different platform, like Slack, etc. and then dip into Cryptocat to share secrets?
Yes!
I've been looking at using passbolt for out company but it currently only supports passwords and not other credentials such as API keys and SSH keys
Keybase has made this easy and rather painless, though I still think they have some work to do (e.g. why should we trust them?).
Other than that, home-grown tools that create secure secret lockers in github work OK, so long as you wrap the difficult PGP bits. At Rackspace, we had a template project for these kinds of things. (See github.com/racker/secure-template).
We're a small team in a university setting, 7 members, of which 3 are not really involved in our system/need quick access.
We now use pass (passwordstore.org) and Git on a in-house repository. This of course requires that all members that need access to secrets maintain a properly secured GPG Key. Strict hierarchy and access on a as-needed basis for every person. Integrates beautifully with Ansible, which we use for CM and Deployment.
Before that we used a mixture of Keepass and Ansible Vault, which had the restriction of one global password that everyone knew, so we needed to split this file up into two for two separate "security levels", which was really cumbersome. Syncing was really annoying. Transfering from Keepass to Ansible Vault was a pain, so we started keeping passwords only in vault. Accessing a secret? Open your personal Keepass to get the Password for the Group Keepass, Extract the Vault Password, Open the Vault, read the secret.
We whisper them from trusted person to trusted person. Digit by digit...
My favourite reply! :D
A lot of our passwords are just the name of the company plus a few numbers.
(Don't worry, really sensitive things use ssh public key authentication. Since all keys involved are public it's fine to put them in Slack.)
We use our password manager of choice, with separate vaults to ensure nobody gets lost in the noise.
We used to allow password manager of choice, KeePass being popular. But then they locked it down, and you're only allowed to keep them on an application called Secret Server that has a bunch of features like temporary privilege escalation.
At Manifold, we built Torus CLI for sharing secrets between humans and machines from development to production.
It integrates directly into your workflow, so you can model the way you store your secrets to the way you organize and deploy your code. All of the secrets are encrypted on the client using an elliptical curve keypair derived from the users stretched password.
Today, we're using it across our different code bases, from sharing secrets in development (for testing email, or other cloud services) to integrating directly into our CI/CD flow for our Single Page Applications to ensure none of our deployment or build secrets ever touch disk.
To give someone access to deploy our core stack using terraform, we just add them to the
devopsteam and then they can runtorus run -e production -- terraform apply. No decrypting files using gpg, dealing with binary merge conflicts, or educating users about keeping secret keys safe.When it comes time to rotate a secret, with one command it's out of rotation, we just need to deploy to bring everything up to date. Most importantly though, when someone leaves our company or changes teams, it's really easy for us to track down which secrets need to be rotated using the
torus worklogcommand.It's really reduced all of the day to day friction to working with secrets, from giving people access, to ensuring they're up to date.
LastPass secure notes