| ▲ | techalchemist 6 hours ago | |||||||
I had evaluated fnox. However you have a dependency of encryption/decryption. So imagine the use case where you need to roll out a password change to 10 repos or offboard an engineer from the team. In either case, the touch point now becomes 10 repos which need to be co-ordinated against. Now imagine doing this at scale, you need to migrate password stores entirely. Not that it happens often, however I have been at start-ups where we moved from one cloud provider to another because we gained better discounts on contracts. The password store migration then would be an effort vs just updating 1 line in registry and it resolves. Similarly user offboarding is handled by IAM permission as well, as soon as the user access is revoked the secret resolution is gone. Thank you for bringing up fnox and mise. This was something I had evaluated and even written about in the security threat model. :) https://github.com/TechAlchemistX/secretenv/blob/main/docs/s... | ||||||||
| ▲ | jdxcode 6 hours ago | parent [-] | |||||||
I am the maintainer of fnox. This is only true if you use the encryption providers. If you don't, nothing is encrypted obviously. Your doc also doesn't seem to take into account my preferred way of using it with KMS that solves a lot of the problems mentioned. | ||||||||
| ||||||||