1.1 KiB
1.1 KiB
Secrets
Our repository contains as many configuration details as reasonable. But we must secure our secrets: passwords, API keys, encryption seeds, etc..
Docker Env Vars
- We store our Docker env vars in a file named after the service. For example
keycloak.env
. - We separate our secrets from non-secret env vars by placing them in a file with a similar name, but with
_secrets
appended to the service name. For examplekeycloak_secrets.env
. These files exist only on the host for which they are necessary, and must be created manually on the host. - Our repository
.gitignore
excludes all files matching*.secret
, and*_secrets.env
.
Note: This makes secrets very fragile. Accidental deletion or other data loss can destroy the secret permanently.
Generating Secrets
We use the password manager's generator to create secrets with the desired parameters, preferring the following parameters:
- 64 characters
- Capital letters, lowercase letters, numbers, and standard symbols (^*@#!&$%
)
If necessary, we will reduce characterset by cutting out symbols before reducing string length.