[skrebbel]

We have a secrets.json in the codebase which is gitignored and we ony commit a fake secrets_sample.json.

(The actual secrets are then ridiculously insecurely transferred between colleagues via whatever communication medium the people involved think of first. Open to suggestions there :-) )

[flexd]

Use GPG/OpenPGP and encrypt it before sending it to your colleagues? https://gnupg.org/

Or use a zerobin instance somewhere (encrypts things clientside with AES 256) and pass them a link. https://zb.a.im/

[Freak_NL]

Exactly! Just use OpenPGP! Once you've set up OpenPGP for all developers and operators that deal with secrets and production databases, it is a piece of cake to simply click the 'encrypt' button in the e-mail client whenever you need to share production log files or other potentially sensitive information with colleagues.

In an ideal world sensitive data never leaves the production environment or the machine of the developer or operator working on it, but sometimes things break down, and you need to share information to find out what went wrong, as soon as possible, with colleagues who are not necessarily physically nearby. It is best to have these tools set up and part of your work flow when you do need them.

[Corrado]

Get everyone to sign on with Keybase.io and make GPG encryption easy (and fun!) for all. I really, really like Keybase for things like this and am trying to encourage all of my teammates to sign up, or at least use GPG encryption.

NOTE: If anyone needs an invite to Keybase.io, email me; I still have a couple left. :)

[edoceo]

Please! I've been on the list what seems forever!

[sp4nx]

Hi, Still have any invites left?

[Blahah]

I do - email in profile if you want one

[reader_1000]

John Resig described a way to store secret files in source control here [1]. But there is still a problem transferring encryption password securely.

[1] http://ejohn.org/blog/keeping-passwords-in-source-control/