| ▲ | mewpmewp2 6 hours ago |
| How do you manage secrets for your projects? |
|
| ▲ | mr_toad 5 hours ago | parent | next [-] |
| One option is pass, which is a shell script that uses GPG to manage passwords for command line tools. You can put the password store into a git repository if you need to sync it across machines. |
| |
| ▲ | chrisweekly 5 hours ago | parent [-] | | Wait, what? "put the password store into a git repository"?! | | |
| ▲ | dflock 4 hours ago | parent [-] | | The store in the case of pass, is a plain text file, whose contents are encrypted strings. If you trust the encryption, you can put it anywhere you like. Keep the keys secret and safe, though! |
|
|
|
| ▲ | diggan 6 hours ago | parent | prev [-] |
| Using a password manager for fetching them when needed. 1Password in my case, but I'm sure any password manager can be used for storing secrets for most programming projects. |
| |
| ▲ | mewpmewp2 5 hours ago | parent | next [-] | | I was thinking about one more case, if you are using 1password as a cli tool. Let's say you "op run -- npm dev". If there's a malicious node modules script, it would of course be able to get the env variables you intended to inject, but would it also be able to continue running more op commands to get all your other secrets too if you have started a session? Edit:
Testing 1Password myself, with 1password desktop and shell, if I have authed myself once in shell, then "spawn" would be able to get all of my credentials from 1Password. So I'm not actually sure how much better than plaintext is that. Unless you use service accounts there. | |
| ▲ | loloquwowndueo 5 hours ago | parent | prev | next [-] | | Fun fact : Bitwarden’s cli is written in JavaScript and needs Node.js to run. | |
| ▲ | mewpmewp2 6 hours ago | parent | prev [-] | | Which programming languages/frameworks do you use? Do you use 1Password to load secrets to env where you run whatever thing you are working on? Or does the app load them during boot? | | |
| ▲ | diggan 6 hours ago | parent [-] | | A bunch, ranging from JS to Clojure and everything in-between, depends on the project. The approach also depends on the project. There is a bunch of different approaches and I don't think there is one approach that would work for every project, and sometimes I requires some wrangling but takes 5-10 minutes tops. Some basic information about how you could make it work with 1Password: https://developer.1password.com/docs/cli/secrets-environment... | | |
| ▲ | mewpmewp2 5 hours ago | parent [-] | | How long have you been using that method? I didn't feel it's been very popular so far, although it makes a lot of sense. I've always seen people using gitignored .env files/config dirs in projects with many hardcoded credentials. |
|
|
|
