We (Shopify) use https://github.com/Shopify/ejson -- we store encrypted secrets ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		burke on July 27, 2015 \| parent \| context \| favorite \| on: One in every 600 websites has .git exposed We (Shopify) use https://github.com/Shopify/ejson -- we store encrypted secrets in the repository, relying on the production server to have the decryption key. It's relatively common to provision secrets with configuration management software like Chef/puppet/ansible/etc using, e.g. Chef's encrypted data bags. Another slightly heavier-weight solution with some nice properties is to use a credential broker such as Vault: https://www.vaultproject.io/

e12e on July 27, 2015 | [–]

For ansibile the built-in solution is: http://docs.ansible.com/ansible/playbooks_vault.html

notduncansmith on July 27, 2015 | [–]

Just wanted to +1 the suggestion for Vault - I've found it to be a really nice balance between usability and security.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact