[BBLISA] Systems for Organizing Shared Secrets

[Rich Braun]

Neil Schelly wrote:
> Does anyone here have any experience with systems that make it easy to
> keep secrets hidden ...

Ugh, yes I have experience, but it's mostly with yelling at peers and/or
trying to explain to senior-execs why this is a hard-to-solve problem that no
open-source project has ever tacked.

I did publish the beginnings of such a project to my github last year; you can
check it out at: rubygems.org/desviar.  Now that I need to take it to the next
level, it's a hard enough problem that it probably has to be funded by my
workplace rather than open-sourced.

I've actually got an open checkbook at work, though, for a solution to this: 
if *anyone* here knows of a decent general-purpose (i.e. not AWS-only)
solution to the cloud-API key management problem be it open or closed source,
I'm all ears. I came up with a list of something like 30 or 40 different types
of API keys that need managing; it's not just a question of securely storing
them:  the harder problem is automating the rotation of such keys.  That
implies scripts that connect to a vendor, authenticate using the current or a
higher-level admin key, retrieve a new key, store it and revoke the old one.

The fire-drill of leaked keys gets really old after just a couple of times: 
someone posts a Jira or an email containing a sensitive key, some boss
notices, another boss declares that all related keys be revoked, and two days
later my systems are finally kinda-sorta back to normal.

-rich