re: How does your organization pass secret keys around? VIEW POST


We're a small team in a university setting, 7 members, of which 3 are not really involved in our system/need quick access.

We now use pass (passwordstore.org) and Git on a in-house repository. This of course requires that all members that need access to secrets maintain a properly secured GPG Key. Strict hierarchy and access on a as-needed basis for every person. Integrates beautifully with Ansible, which we use for CM and Deployment.

Before that we used a mixture of Keepass and Ansible Vault, which had the restriction of one global password that everyone knew, so we needed to split this file up into two for two separate "security levels", which was really cumbersome. Syncing was really annoying. Transfering from Keepass to Ansible Vault was a pain, so we started keeping passwords only in vault. Accessing a secret? Open your personal Keepass to get the Password for the Group Keepass, Extract the Vault Password, Open the Vault, read the secret.

Code of Conduct Report abuse