Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Serious issue with secret storage advice #18

Open
DLMousey opened this issue Aug 11, 2020 · 1 comment
Open

Serious issue with secret storage advice #18

DLMousey opened this issue Aug 11, 2020 · 1 comment

Comments

@DLMousey
Copy link

DLMousey commented Aug 11, 2020

### Store your secrets encrypted in a git repository

**Advantages**

* Your secrets are synced.

No, no no no no no,
No.
No.

Secrets have no place in version control - they shouldn't be distributed, they shouldn't be in version control.
If the secrets are encrypted and in version control that's even worse because you have to distribute the private key for them as well, sooner or later this will inevitably end up in your repository.

Once the secrets (and worse - potentially your private key too) are in version control (and heaven forbid outside of a network you control), you are relying completely on software you likely don't have control over to ensure these secrets remain exactly that; secret.

This is before you get to the issue of there suddenly being zero accountability, if you're using something like AWS and using a non-free service and everyone's using the same set of credentials there's no way of keeping track of who's running up the bill.

Secrets need to be exactly that - secret, bonus points if they're also easy to revoke and replace.

@austinmccalley
Copy link

austinmccalley commented Aug 11, 2020

By opening a private repository that hosts all of the secrets, it opens up a new attack vector. Often people will sign up for random services and use the GitHub integration; often, they don't review what the service is allowed to see. This is another attack vector. As DLMousey said above, you are relying on software outside of your network to be in control rather.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants