Lately, I’ve been thinking of implementing a secrets management system such as Infiscal, etc. Does anyone use this or something similar like Hashicorp?

How hard would it be to deploy on a pre-existing set up? How does that work? Do you call the required secret in your Docker compose? What makes a secret manager more secure than pulling secrets from an .env file?

Which secret manager is the most popular/better among selfhosters?

  • truxnell@aussie.zoneEnglish
    5·
    20 hours ago

    I think it’s overkill for homelab and over complex/additional failure points.

    I use sops encrypted, published in my public git. When I apply my nix config, they are pulled and unencrypted on apply on the local machine.

    Keeps it as simple as I can think of, with few moving parts.

      • truxnell@aussie.zoneEnglish
        2·
        15 hours ago

        Depends on the circumstances tbh. Things like sops do load the secret unencrypted on the machine (with perms but still unencrypted. For remote VPS encrypted at rest is probably better. K8S has secret management but there unencrypted too.

        Another alternative could be using Doppler secrets managment platform, I used it for a while