Secrets Management Request

I’m not sure if @Jay will be including the topic of Secrets Management in his Enterprise Security series, but, this is an area I think would be beneficial to many.

At my last employer we used Thycotic for general Key, Token and Password management. We didn’t use it for automated-credentials on server instances or anything, mainly just user access type things.

Over the last week alone I’ve created a dozen or more Keys, Tokens, and passwords for just the small number of things I’ve been working on. As the number of servers / services in my Hybrid Homelab / Cloud endeavors increases, so does the need for some kind of reasonable secrets management strategy. I’ve been looking at (for some time now) HashiCorp Vault but it’s not a simple solution to implement.

Maybe just an open discussion with folks describing their version of best practices would get us going, I don’t know, just looking for a solid start somewhere.

3 Likes

We haven’t (yet) nailed down the topic list for that series yet, but this is definitely something I’d hope to see featured for sure.

2 Likes

Being new to linux, even though I have dabbled in it since the early days. It has always been just a hobby for me. I have never really got the grasp on key management. So what [KI7MT] said I am interested in.
Basically for an example, I have a desktop, laptop, 2 local servers and a server at NFOservers. So it’s a small situation, but I am not sure if I should just keep a folder with the ssh keys in it so and just copy them to the new systems as I need them. (I tend to nuke my system first then say I forgot the freakin keys again)

There are many different approaches. One approach that works for me in my little home lab is to do all of my infrastructure work from my laptop.

  1. Each machine has its own key pair.
  2. My laptop is my administration node. I copy my public key from the laptop to other machines as part of the bring-up process.
  3. If I am working from my desktop, I ssh into my laptop in order to ssh into other machines.

It took a bit of adjustment for me to think about my network as a unified system with a central management point rather than a bunch of ad hoc nodes with random key-pair relationships.