Secrets management (WIP)

In general secrets can be divided into three categories

1. Personal secrets
2. Secrets shared by a team or group
3. Secrets used by software/applications

Of these the first one is generally considered to be outside centralized secrets management, but the latter two should be kept safe.

The current guidelines for the University of Helsinki recommend using Azure Keyvaults for secret management for the latter two categories.

Personal secrets

The recommendation is to use a service that creates crypthographically secure passwords. Examples of this are Keepass and it's variations, and online services. The author of this page recommends a local solution over a cloud solution, but this also means backups fall on the user.

Secrets for teams and software

Most of these can also be divided based on your automation needs.

• If you don't need automation, you can use a solution like pass and gpg-encrypting secrets with everyone's gpg-public keys.
• If you need automation, a central secrets management solution is preferrable.
  • Of these, the University officially supports only Azure Key Vault