Managing secret keys

Question

I have an app that is storing AWS secret keys in a private repo on Github.

It was recommended because if one of our computers "blows up", we will not have access to the keys.

Instead of storing in Github, we could just pass our computers around to share the secret key, or send them through private company slack.

These all seem like bad ways to manage keys.

Is there a good repository/vault or method that is better for secret key storage and sharing with team members?

Answer 1

You could use an S3 bucket that only stores keys and only allow specific users to have access to this bucket via IAM Groups and Users. This seems reasonable at the start of a project.

If you need something more hardcore, I know some larger tech companies use:

https://github.com/hashicorp/vault

Answer 2

The number one rule of key management is to minimize the number of locations the key is stored. So, for something like AWS keys, developers should have their own keys stored on their machines. For keys needed by an app server, those keys should only be stored on the app server.

It was recommended because if one of our computers "blows up", we will not have access to the keys.

The best way to solve this problem is just to rotate the keys. Ideally, you should always be in a place where you can quickly/easily generate new keys if you need to, such as in the case of a security event. If there's some master key that you're totally screwed if you lose it, store it in a secure storage app like 1Password, where your vault is encrypted with an additional password.

Instead of storing in Github, we could just pass our computers around to share the secret key, or send them through private company slack.

These all seem like bad ways to manage keys.

As a general rule, never store AWS keys (or any other sensitive keys or passwords) in Github or on the company Slack. Anything you share in slack lives forever in the logs, so if your company slack is compromised -- or if Slack is compromised, which has happened several times -- anything lying around in your logs is available to potential attackers.

Is there a good repository/vault or method that is better for secret key storage and sharing with team members?

For storing keys (long-term storage) use something like 1 Password. For sharing keys (short-term storage) use something like ShareSecret (disclaimer, I'm the founder of ShareSecret).

Answer 3

Keys, like many secrets, should not be shared whenever possible.

In the case of AWS users:

1. Each user (employee, team mate, etc.) should have their own IAM user created for them.
2. Each IAM user would have their own set of access keys/secrets generated and available to that user only.

There are many benefits to this system:

1. Since keys are not shared, it's harder for them to accidentally get leaked,
2. Since keys are not shared, if they are compromised, then only that one user is affected; no other team mates are affected.
3. Each IAM user can be given different permissions based on their own requirements.
4. Using CloudTrail, you can audit what each user does in the AWS account.

And avoid saving anything like this in source control (git or any other).

Answer 4

Avoid storing credentials with code, they get quite vulnerable and consequences may be irreversible. It would be much better to use IAM Roles to grant access and use keys only for development, preferably a different one per developer so they can be rotated as needed.

Check the AWS Security Best Practices whitepaper for further details.

Answer 5

You could use 1Password for Teams which allows you to share secrets in encrypted, password-protected vaults.

As a side-note, the risk of locking a AWS User out of his account if a computer blows up is very low. In any case, the account owner can regenerate a new set of AWS keys for any IAM User in the account. As long as the account owner can connect to the AWS account, you are safe.