Lead Image © Sergey Nivens, 123RF.com
Efficient password management in distributed teams
Secure Transfer
Consider the simple case of a web application database that requires authentication. The challenge is to share this secret information in an efficient but secure way and to transmit it automatically at a later date. What is the best way to do this?
Three Approaches
Traditionally, you have several ways to manage secrets associated with an application. The oldest method is probably the use of constants in source code, such as:
var PASSWORD = 'sn4k3oil'
This method tackles the challenge of keeping secret information synchronized between all team members in a simple, although not secure, way.
On the one hand, anyone who has access to the source code is automatically in possession of the secret information – regardless of whether it is necessary or desirable. On the other hand, exchanging keys with this procedure can turn out to be a tedious process, because the source code has to be changed, checked in to a version management system, and redistributed each time. It also makes it difficult to use the same code in multiple environments, such as a development environment and a production environment.
These disadvantages need to be avoided in a more mature alternative by storing secrets in configuration files that are not checked into version control. If you use this approach, you can remove the constants from the source code, but you accept other disadvantages. Without version control, synchronization between team members that was previously feasible is no longer possible. If a team member wants to change their password, they need to inform everyone else about it and find a secure way to do so. Additionally, this procedure results in unencrypted files on clients and servers that users can forget.
Subsequently, a third method has been established to keep secret information away from both the local filesystem and the source code. This method uses
...
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
Automatic data encryption and decryption with Clevis and Tang
Encrypting hard disk partitions during the installation of an operating system is standard procedure. When booting the computer, you then need to enter a matching passphrase to unlock the hard drive. We show you how to automate this process and link it to a policy. -
Version 5.2 of the Ruby framework
Ruby on Rails 5.2 was released during RailsConf, which took place in Pittsburgh in mid-April 2018. Although not much has changed for old Rails applications, you'll find a few notable additions for new ones. -
Secrets and certificate management
Vault is a highly secure, trusted place to keep your secrets and certificates. -
Credential management with HashiCorp Vault
Admin teams can use secret sharing to centrally manage shared access to user accounts and services. HashiCorp Vault is one of the few tools that has proven effective when it comes to implementing this solution. Here's how to use this open source tool and keep important credentials safe. -
Encrypt and decrypt files with Age or Rage
Age and Rage are the Go and Rust implementations of a simple, modern, and secure file encryption tool.