Ask HN: Where to store sensitive keys?

7 points by level09 ↗ HN
I was wondering if there is a safe way to have different API/private keys stored on my machine, this helps creating helpful deployment and automation scenarios. however, having the keys reside in files seems to be a bit dangerous to me, maybe there is a better secure way to store them?

5 comments

[ 3.0 ms ] story [ 22.9 ms ] thread
If you use Puppet for deployments and management, you could use Hiera-Eyaml: encrypted YAML. Then it's just a matter of managing the master key.
Put them in Environmental Variables in the same shell that starts the process.
Take a look at HashiCorp's Vault
Hashicorp Vault is simple to run and has a HTTP api and cli.

But you want as little as possible hassle of course. I didn't require high availability, but liked coding to the vault api so i could go there later. I wanted to store and administer secrets in encrypted yaml, which i could then batch load into Hashicorp Vault. I use Ansible Vault to manage the encrypted yaml file with a passphrase.

To this end I created Safe, a tool to run Hashicorp Vault and load secrets from yaml in a single command. See https://gitlab.com/nerdalize/safe. It requires Docker, the bash script (and Ansible Vault or some other file encryption util).