All guides to deploy using docker mention typing your keys/credentials/secrets into the docker compose file, or use a .env or similar file, I’m wondering how secure is this and if there’s a better option.

Also, this has the issue of having to get into the server to manage them, remembering which file has each credential.

Is there a selfhostable secrets manager? I’ve only found proprietary/paid ones for large infrastructures and I just need it for a couple of my servers/projects.

  • @loganmarchione
    link
    English
    8
    edit-2
    1 year ago

    There’s also Infisical if you don’t want to run Vault

    https://github.com/Infisical/infisical

    I personally use Ansible to deploy my .env files to my Docker host. The .env files are encrypted in Ansible Vault and deployed to the server as chmod 400 so only I can access them.

  • @kraftverk
    link
    English
    71 year ago

    Perhaps look into hashicorp vault

    • manitcor
      link
      fedilink
      English
      41 year ago

      seconded for hashicorp, you can do secrets and env vars while cutting your teeth but you should be on a path to learning and setting up secure secrets vaults.

    • @NewDataEngineer
      link
      English
      11 year ago

      I wish there was something between hashicorp vault and keepass. I want a nice simple UI that even my family could use with Terraform integration. Anyone know of such a program?

      • @[email protected]
        link
        fedilink
        English
        71 year ago

        I have no experience with terraform but Bitwarden has an API and CLI, so you might be able to script something with it?

        • @NewDataEngineer
          link
          English
          21 year ago

          Thanks. I knew about bit/vaultwarden but I just looked and I see that there is a Terraform module and the UI looks good.

          Thanks.

        • @[email protected]OP
          link
          fedilink
          English
          1
          edit-2
          1 year ago

          I was thinking about this, since it’d be using foss, but if no library exists to handle the pass to a script/config file then it’d be maintaining a custom solution which might not be that secure.

          Edit: hashicorp’s vault is open source, so I’ll be giving it a try.
          https://github.com/hashicorp/vault

          • @NewDataEngineer
            link
            English
            01 year ago

            Bitwarden has a CLI that you can script with. Also vaultwarden is the FOSS version.

            Just in case you want to try.

  • @[email protected]
    link
    fedilink
    English
    21 year ago

    The suggestions here are good for production. Over used aws secret manager and hashicorp vault before and both did everything we needed.

    I find they’re too much firepower for selfhosted, and prefer pass

    https://github.com/peff/pass

    Simple commandline tool, backed by a gpg encrypted git repo. Perfect for small use cases!