Encrypt and store secret keys in private git repo #23
Comments
MainShayne233
added
Dev Ops
|
@AustinCundiff , as someone who I'm sure has far more security experience than me, how does this sound to you? |
|
I've never heard of ansible-vault. That's pretty rad. I don't consider myself a devops expert, but I think this is definitely thorough and certainly sufficient for this project. I'm just glad there are no secrets being stored in public GitHub code. The only improvement I can think of would be involving physical tokens, but don't think that would be worth the effort in this case (yubikeys aren't cheap either). |
|
Dang yeah, yubikeys for everyone would be awesome, but probably won’t comply with our $free.99 budget. 😛 Appreciate the feedback! Also, nice to meet you! 🙂 |
|
This has been successfully implemented by @MainShayne233 Set up guide can be found here: |
Situation
We have some API keys we want to keep secret, such as our Canvas API auth token. We should expect the amount of secrets to grow as we develop the app.
Current Method
The current method for keeping these secret is storing our
app/canvas.py(which currently has all of them) file in Google Drive and downloading it whenever setting up a new repo.Reasons for Change
This is working for the moment, but I see/foresee the following issues:
app/canvas.pycontains more than just secrets, and it'd make sense to only have the secrets stored privately and not any application code.app/canvas.pyinto place, and even then the app fails if it can't auth with the services correctlyapp/canvas.py, we'll have to store even more files in Google Drive.app/canvas.pyfrom Google Drive, so any time we need to access it requires a manual process.Proposed Method
(This method is based on how we managed our secret keys at a previous company I worked at)
Private Git Repo
Now that we have a GitHub organization, we can create a free private GitHub repo that will be where the secrets are stored. The secrets can be stored in a really plain/easy to parse format such as JSON, YAML, or even as
.envfiles. This way, we can have them get automatically imported into our app as long as they are available on the running machine and in the expected path in the app repo.Encryption
We will never put the secret keys into the GitHub repo without first encrypting them. There's a really cool tool called
ansible-vaultthat allows you to easily encrypt files and edit them as needed as long as you have the encryption key. This encryption key is something we can store in a shared password manager, such as LastPass, so that whomever needs access to the secrets can have it.How It Would Work In Practice
Setup for development
If you were setting the app up for development, all you'd need to do is:
./bin/dev/setup-secrets <encryption-key>) and it would:Setup for CI
CI may or may not need any secrets, but if it ends up needing some, we can easily run the procedure above in the CI setup.
Setup for production
Production will certainly need the secrets, and we can include the steps above for pulling the latest secrets from GitHub whenever the app is deployed.
Modifying Secrets
Whenever you need to change, add, or remove secrets, it's as simple as running
ansible-vault edit path/to/encrypted/secrets/fileand it will open up the file in a text editor where you can make any changes you want, and then you'd simply push this change to the GitHub repo.Pros
The text was updated successfully, but these errors were encountered: