Replies: 3 comments
-
Have you see ejson and https://github.com/Shopify/ejson2env ? It allows you to keep secrets in the repo, secure at rest. It’s an opinionated approach to secret management. I’ve found the ENV/config:set split convenient to separate out variants I don’t mind visible in the repo (ENV) from those I want to keep out of the code (config:set) In order for the uwsgi daemon to restart processes, it would need access to private key that unlocks secrets or the secrets would need to be stored on the server decrypted at rest, if I’m not mistaken. |
Beta Was this translation helpful? Give feedback.
-
That looks cool, thanks Eric. My preference is for Piku to stay out of opinionated secrets management itself and document a few good options for users. I will probably test out ejson2env myself, thanks for sharing! |
Beta Was this translation helpful? Give feedback.
-
This is the kind of thing that we could do with plugins. Anyway, I agree that it might be too much to handle in |
Beta Was this translation helpful? Give feedback.
-
Right now there are two main approaches to handling secrets outside the
ENV
file:config:set
However, there is an interesting middle ground to explore, and things like ssh-crypt may play a role here (although it may not be ideal to manually SSH in to decrypt secrets so you can restart apps after a server failure).
None of these prevent secret exfiltration from a running app (nothing does, really), but it would be interesting to have alternatives here, preferably backed by some kind of at-rest encryption.
Beta Was this translation helpful? Give feedback.
All reactions