How do you manage sensitive keys when using foreign developers?

This page summarizes the projects mentioned and recommended in the original post on /r/ExperiencedDevs

Our great sponsors
  • InfluxDB - Power Real-Time Data Analytics at Scale
  • WorkOS - The modern identity platform for B2B SaaS
  • SaaSHub - Software Alternatives and Reviews
  • Spruce

    A BOSH template merge tool (by geofffranks)

    The CI/CD has a service account with permissions to all envs, and during deployment it renders the config files and inserts the "real" values by pulling it from Vault/KMS. Something very simple is Spruce, which is actually a powerful general templating tool but I've seen it only used for vault secrets so far.

  • Vault

    A tool for secrets management, encryption as a service, and privileged access management

    There's a central key management service. Hashicorp Vault is pretty much the de-facto standard and most other tools integrate nicely with this. The only exception I've seen if companies are fully invested into a single cloud provider, in which case their cloud native alternative is used (AWS KMS, GCP KMS, Azure Keyvault). Even then, sometimes Vault is used as a frontend with the Cloud KMS as backing store.

  • InfluxDB

    Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts