Ask HN: How are teams sharing secrets?

[ChartsNGraffs]

What's the best way your team has found to manage secrets for things like db passwords, admin login credentials, etc.?

[mtmail]

94 comments on similar discussion two weeks ago

Ask HN: How are credentials managed at your company? https://news.ycombinator.com/item?id=12396883

[marvel_boy]

Instead of requiring only a password is better to use Two-Factor authentication.

[tptacek]

2FA doesn't work so great for Postgres.

[anarazel]

You can do stuff with gssapi / kerberos. Or, if you consider that 2FA, you can use client certificates in addition to passwords. Interactive 2FA probably imo doesn't make that much sense for a database.

[tptacek]

Yep, that's what I'm trying to say. :)

The "team secret sharing problem" usually refers to "how do we manage all the API and backend secrets we need to deploy and test a new instance, without having everyone shlepping them around on their dev laptops, and without ending up in a mode were the loss of one server equates to the loss of every instance in the environment."

[anarazel]

Well, kerberos isn't a bad answer for that. But it's way too annoying to set up :/