Lately, I’ve been thinking of implementing a secrets management system such as Infiscal, etc. Does anyone use this or something similar like Hashicorp?
How hard would it be to deploy on a pre-existing set up? How does that work? Do you call the required secret in your Docker compose? What makes a secret manager more secure than pulling secrets from an .env file?
Which secret manager is the most popular/better among selfhosters?
I doubt using secret managers is popular among self hosters. These products are targeted at larger deployments, not homelabs.
I have seen people use Ansible Vault to encrypt the .env file and use an ansible playbook to only decrypt the file when the playbook is running.
Ansible is one of those ‘on the list’ things to check out. It seems to have a broad range of applications.
Sounds like you have reason to bump it up the list now - two birds with one stone.
I need to do this too. I know I have stuff deployed that has plaintext secrets in .env or even the compose. I’ll never get time to audit everything. So the more I make the baseline deployment safe, the better.
There are numerous automated systems for this, and almost every platform you use will have their own. Infiscal doesn’t seem bad, but I haven’t used it.
I always suggest engineers just use whatever is closest to their stacks instead of implementing something, UNLESS it’s going to cost a lot more money (looking at you, AWS).
Bitwarden/Vaultwarden+BWcli is also another workaround if you’re just using it for small projects.
Etcd can do value encryption, and Redia even, but you should really be looking at something that has solid RBAC, or ZTC rotation.
In my homelab I use Bitnami’s sealed secrets to commit the encrypted secrets to git and deploy with ArgoCD.
That’s a K8s application I’ve never explored, and the ‘commit the encrypted secrets to git and deploy with ArgoCD’ is well above my pay grade at the moment. Not saying it’s not unattainable, however, I’m still trying to thoroughly understand Docker, which should take me quite a while. LOL
Oh, I didn’t realize this was for plain containers, sorry.
For that I use Ansible to deploy the containers in my server. The secrets are stored encrypted in my local machine with passwordstore and I use the passwordstore lookup plugin to load them in the playbooks/templates.
There’s a software called gravitational teleport that looks pretty neat.
