These tools provide a means of securely storing secrets (encryption keys, passwords, all that good stuff that you want to make available to your production systems, but you must protect from exposure) I started my research with This Reddit Post
Simple Tools
๐ซ SOPS: Simple and flexible tool for managing secrets: getsops.io | SOPS: github: SOPS allows the encryption of secrets directly in the configuration files from which your applications load them. Using SOPS, secrets are decrypted at runtime.
๐ using SOPS is kind of a pain, but it doesnโt involve relying on any external webservices. It supports encrypting secrets using PGP (and that got me stuck on looking at allโฆ. It works as follows.
๐ create a sops.yaml file in the root of your project, this file will at minimum need to specify the fingerprint for the pgp key youโll use to encrypt secrets. It supports other methodsโฆ but why? Iโm not interested.
creation_rules: - path_regex: ./* pgp: 'FA2A456F0B079A46CDE2E2275D2D'๐ move your .env file variables into a json file, converting the list of variables to a dictionary.
{"SECRET1":"SECRET1VAL", "SECRET2":"SECRET2VAL", ... "SECRETN":"SECRETNVAL"}๐ run sops encrypt env.json > env.enc.json which will encrypt the individual values within the file. Take a look.
๐ run sops exec-env env.enc.json <your app launch command> any application launched with sops exec-env <encrypted secrets file> will have environment variables defined for each key in the json arrayโฆ which is why we converted our .env variables to json keys. To use this, make sure your app doesnโt specifically need the .env file. I got some warnings that I think came from python dotenv, but it all seems to be working fine anyway.
๐คข pass the standard unix password manager blehโฆ
Components of Larger Software Packages
๐ช Portainer.io: Container management for Docker and Kubernetes with a built in system for managing secrets | How to create and manage Kubernetes Secrets in Portainer
๐ช Ansible Vault
Webservice Based Solutions
โ VaultPlusPlus: looks promising, but command is provided binary only and it doesnโt seem to work on my fedora kinoite system
๐ง AWS Secrets Manager$0.40 per secret/month, $0.05 per 10k API Calls so pretty reasonableโฆ except my newest app has like a dozen secrets at least. There are free options below that will be much less expensive,but less full-featured.
๐คฆ 1password.com: User Account is 2.99, but I think the $19.99 package is necessary to access the secrets management for web applications.
โ ๏ธ Evervault: Free edition limited to 500 decrypts/mo which, depending on how your project is coded, could be plenty or not nearly enough
โ ๐๐๐งธ Infisical: Free edition is entirely usable
๐๐ค Using infisical:fairly simple cli usage,
โ๐ first install (rpm, apt, or npm),
๐ go to the directory for the project where you want to create an association with an infisical project, runinfisical init and choose the appropriate project
๐ now you can prefix any command with infisical run --env=<dev,staging,production> --path=/path/to/application <application start command>.
๐ Alternately, you can run infisical secrets --env=<dev,staging,production> and it will print out a table SECRET NAME | SECRET VALUE | SECRET TYPE.
โ ๐๐ฎ๐ชDoppler: Free edition is entirely usable: similar cli usage to Infisical.
๐งฟ first install (rpm, apt, or shell-script -for the shell-script option on fedoria ostree based installs, you must save install.sh and edit it setting USE_PACKAGE_MANAGER=0 then run it as root)
๐ซ run doppler login to get a token
โ๏ธ go to the directory for the project where you want to create an association with a doppler project and run doppler setup and choose the appropriate project
๐ now you can prefix any command with doppler run --command= for example, the simplest case, to verify the secrets are accessible, if you created a secret called TEST_SECRET run doppler run --command="echo \$TEST_SECRET" it should print the secret value to the screen demonstrating that it is now available as an environment variable.
โ ๏ธ๐คฆHashicorp Vault: Was Free, now Requires Hasicorp Dedicated ๐ต$400+/month.
๐ Pulumi IaC ESC : Pulumi is an infratructure as Code Provider.
Summary
In experimenting with the reccomendations from the reddit post I found Doppler and Infisical to be the best webservice optionsโฆ really the only useable ones.
Ubiq: Encryption for Everything
Not exactly a secrets manager, but an interesting service that I feel like mentioning anyway. Designed to be very easy to implement so that no sensitive data need be left unencrypted at rest.
UBIQ It might be possible to setup a workflow using ubiq for secrets management since it provides such generic access to encryption.
Post Quantum Cryptography
and that got me stuck on looking at allโฆ the new encryption types that have appeared in the latest version of gnupg. unfortunately none are quantum safe, even though it sounds like the algorithms exist.
๐ฎ Post Quantum Cryptography PQC
๐จโ๐ป Shorโs Algoritm: theoretically capable of defeating all traditonal assymetric key encryption given sufficient quantum computing resources. (RSA, and all variations of the elliptic-curve) because of its potential to be able to factor large numbers. Not proven yet, but theoretical possibility is probable enough to warrant the development of new methods for genration asymmetric keypairs. So far the following have been proposed:
Post-quantum cryptography research is mostly focused on six different approaches:
๐ Lattice Based Cryptography
๐ Multivariate cryptography
๐ข Isogeny-based cryptography
๐ Symmetric key quantum resistance
๐ต๐ก๏ธ Hybrid encryption is often recommended, where data is encrypted with both a new Post Quantum Encryption Technology as well as an existing proven non Post Quantum encryption technology like ed25519. This way if the new algorithm turns out to be vulnerable to a non-quantum attack, then the data will be protected by the well tested, but not quantum safe algorithm. This is a good idea since there is a lot of risk with the new algorithms simply because they are that new.