Hi, guys! I've heard you mention keeping dev secrets in a dev.edn file a few times. That works well, and I still do that sometimes. But are you aware of https://github.com/magnars/confair by @magnars? It lets you commit encrypted secrets and configs to your Git repo. Very useful and “standard” in the (small) Norwegian subcommunity! I thought you might like it. Cheers and Merry Christmas!
committing secrets always felt risky. if you get the crypto wrong or someone finds a flaw in the crypto you're using then all your secrets are forever available in the git history, forcing a rotation. storing the secrets in a separate service that maintains proper encryption and security for you always felt safer
Absolutely, much safer to store in a separate service and inject it into the service at runtime so that it's never persisted anywhere in plain text.
@leif.eric.fredheim @lukaszkorecki Thanks for the suggestions! I’ll have to check those out. As for crypting within a got repo, I’ve used a separate repo for that. Something totally separate than my source repo. I also like the idea of having a command line interface to a secrets manager. Thanks again!
Hey Leif! I hadn’t heard of this library before. Love the Nicolas Cage reference. It’s an interesting approach. In the past, when I’ve wanted to commit secret things to git repos, I’ve reached for https://github.com/AGWA/git-crypt.
I have done something like the local dev overrides in a couple of apps, where there are a set of known config files that get deep-merged together in order:
• config.edn - prod config, no secrets, committed to git
• dev-config.edn - common developer config, overrides to point at local docker-compose setup, can have creds in it because dev, committed to git
• local-config.edn - bespoke, situational overrides for a particular project, not committed to git (but a .sample-suffixed one is).
For these apps, the prod secret values are injected via env vars and a library that can set values based on those.
It always felt wrong to store secrets in git, even if encrypted - I dealt with that when using Ansible, Chef and similar configuration management tools in the bad old days - rotation is painful, introduces noise in diffs, you can have merge conflicts that cannot be resolved easily sometimes. Recently I've been adopting 1Password's CLI - it has really interesting features, like injecting secrets into config templates or exporting them as environment variables - it's much more secure, and on the mac you can Touch ID to authorize secret access for that extra sauce: https://developer.1password.com/docs/cli/reference/commands/inject + Aero for reading these injected variables from the environment. For actual Real Life Work ™️ I used EnvKey before, AWS Secrets Manager and Doppler and all are excellent options.
"Run your fingers through the data” is a great mnemonic device, by the way. Visual and tactile language! You guys drop those all the time, and I love it. Along with metaphors (donuts, food, cooking), it helps build intuition and recall information when needed.