from Hacker News

Ask HN: Where to store sensitive keys?

by level09 on 4/13/16, 12:28 PM with 5 comments

I was wondering if there is a safe way to have different API/private keys stored on my machine, this helps creating helpful deployment and automation scenarios. however, having the keys reside in files seems to be a bit dangerous to me, maybe there is a better secure way to store them?

by feliksik on 4/14/16, 10:29 AM
Hashicorp Vault is simple to run and has a HTTP api and cli.
But you want as little as possible hassle of course. I didn't require high availability, but liked coding to the vault api so i could go there later. I wanted to store and administer secrets in encrypted yaml, which i could then batch load into Hashicorp Vault. I use Ansible Vault to manage the encrypted yaml file with a passphrase.
To this end I created Safe, a tool to run Hashicorp Vault and load secrets from yaml in a single command. See https://gitlab.com/nerdalize/safe. It requires Docker, the bash script (and Ansible Vault or some other file encryption util).
by rgacote on 4/14/16, 1:55 AM
etcd (https://github.com/coreos/etcd) or one of its variants is an option.
by kspaans on 4/13/16, 12:40 PM
If you use Puppet for deployments and management, you could use Hiera-Eyaml: encrypted YAML. Then it's just a matter of managing the master key.
by giaour on 4/14/16, 3:44 AM
Take a look at HashiCorp's Vault
by euroclydon on 4/13/16, 3:41 PM
Put them in Environmental Variables in the same shell that starts the process.