16 lines
1.1 KiB
Markdown
16 lines
1.1 KiB
Markdown
|
# Secrets
|
||
|
|
Our repository contains as many configuration details as reasonable. But we must secure our secrets: passwords, API keys, encryption seeds, etc..
|
||
|
|
|
||
|
|
## Docker Env Vars
|
||
|
|
1. We store our Docker env vars in a file named after the service. For example `keycloak.env`.
|
||
|
|
2. We separate our secrets from non-secret env vars by placing them in a file with a similar name, but with `_secrets` appended to the service name. For example `keycloak_secrets.env`. These files exist only on the host for which they are necessary, and must be created manually on the host.
|
||
|
|
3. Our repository `.gitignore` excludes all files matching `*.secret`, and `*_secrets.env`.
|
||
|
|
|
||
|
|
Note: This makes secrets very fragile. Accidental deletion or other data loss can destroy the secret permanently.
|
||
|
|
|
||
|
|
## Generating Secrets
|
||
|
|
We use the password manager's generator to create secrets with the desired parameters, preferring the following parameters:
|
||
|
|
- 64 characters
|
||
|
|
- Capital letters, lowercase letters, numbers, and standard symbols (`^*@#!&$%`)
|
||
|
|
If necessary, we will reduce characterset by cutting out symbols before reducing string length.
|