Secrets are values which aren’t sent between humans or applications in cleartext. These could be SSN’s, passwords, and many other types of data. We use Vault which is a project designed around very strong security of secrets paired with automation.
Authenticating to Vault
The Infrastructure team supports multiple methods for developers, support staff, and applications to auth against Vault.
Setting up your Github team
We’ve setup Vault to auth with github teams. The docs require running a script (someone on Infrastructure can help).
Setting up your application
We’ve setup Vault authentication methods for applications.
Creating secrets
We have guides for creating secrets. Typically these are written to secret/$app/$name paths, where $app is your application’s name (i.e. device-service) and $name is a descriptive name for the secret itself.
If secrets are shared between multiple apps often $app will be a team’s name.
Paths under secret/ are always consistent across environments.
- RSA keypairs (used for encryption and decryption)
- Certificates from the Banno CA
- Generating random text (of
Nlength):openssl rand -hex Noropenssl rand -base64 N
Writing secrets
We’ve setup a guide for multiple ways to write secrets into Vault.