I have spend a good chunk of Tuesday setting up HashiCorp Vault. It is a full features system for managed various secrets be it arbitrary data (key value storage), ssh keys, one off passwords, temporary on the fly password for K8s applications etc. It even comes with integration with Puppet to have it retrieve secrets from Vault.

A user can generate or access secrets via a web interface. For our use case, we would have to setup Vault, add a key value store engine, hook the authentication with LDAP then grants groups a policy access to a key value store. It is definitely doable, but:

• the setup is not trivial (a whole new system has to be setup to our infrastructure)
• the system has a lot more use case (such as managing Letsencrypt keys, ssh authentication etc)

The solution is great and has a lot of capabilities. It seems a bit overkill for the reduced scope of just managing existing passwords. But it is definitely a system that should be kept in mind down the road if we want to overhaul how secrets are managed at the foundation.

Spotted yesterday , I realized we already have a password management system! https://office.wikimedia.org/wiki/Password_Management :]

Bubbling up. I have not committed to do the switch after the exploratory phase. The quick presentation I gave to the team has been welcomed and we seem to have consensus that 1password is a good system for our use case. I am moving this to the new Yak Shaving.

Why 1Password and not Bitwarden? There are FLOSS-friendly managed hosters too, like https://cloud68.co/instances/bitwarden .

This task sounds a bit aligned with getting rid off a releng repo in Diffusion blocking T191182: Migrate active repositories in Phabricator Differential to GitLab

Since T351321 happened and is resolved. Is this ticket now outdated / also resolved?