re: How does your organization pass secret keys around? VIEW POST


At Manifold, we built Torus CLI for sharing secrets between humans and machines from development to production.

It integrates directly into your workflow, so you can model the way you store your secrets to the way you organize and deploy your code. All of the secrets are encrypted on the client using an elliptical curve keypair derived from the users stretched password.

Today, we're using it across our different code bases, from sharing secrets in development (for testing email, or other cloud services) to integrating directly into our CI/CD flow for our Single Page Applications to ensure none of our deployment or build secrets ever touch disk.

To give someone access to deploy our core stack using terraform, we just add them to the devops team and then they can run torus run -e production -- terraform apply. No decrypting files using gpg, dealing with binary merge conflicts, or educating users about keeping secret keys safe.

When it comes time to rotate a secret, with one command it's out of rotation, we just need to deploy to bring everything up to date. Most importantly though, when someone leaves our company or changes teams, it's really easy for us to track down which secrets need to be rotated using the torus worklog command.

It's really reduced all of the day to day friction to working with secrets, from giving people access, to ensuring they're up to date.

Code of Conduct Report abuse