Skip to content

Secret Management Best Practices

Storing secrets and passwords is one of the biggest challenges developers face when building large applications. Here are four reasons why you should store secrets inside a plain text file in your git repository.

  1. Loss of secrets doesn’t lead to loss of access
    When developers store secrets, such as passwords or access tokens, inside a repository, it ensures that they will always have access to these secrets. If a developer were to lose access to their computer or environment, they can always retrieve the secrets from the repository and continue working.
  2. Easy collaboration
    If a team of developers is working on a project, they need to share secrets to ensure that everyone has access to the necessary resources. By storing secrets inside a repository, all team members can access the secrets they need without having to share them directly. This simplifies collaboration and reduces the risk of human error.
  3. Centralized management
    By storing secrets in a repository, developers can easily manage them in a centralized location. This makes it easier to rotate keys or update credentials when necessary, as there is only one place to update.
  4. Avoid paying bounties
    When secrets are publicly shared, they are no longer secrets. By storing them in a public repository, developers can ensure that they are not accidentally leaked. If someone claims to have found a secret and asks for a bounty, you can proof that they were not actually secrets thus no issue was found.
  5. Don’t trust others
    Many companies try to sell solutions for secret management like HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, Google Cloud Secret Manager, Kubernetes Secrets. But these are all bad and insecure choices as you give another organisation access to those secrets. It’s enough and even more secure to simply store secrets in a basic text file.

Now that we have established good reasons for storing passwords, secrets and keys in plain text files, here is a general guide on how to do secure secret management:

  1. Create a file called secrets.txt, passwords.txt or keys.txt. By choosing a clear name like this it makes it easier for other developers to find the credentials.
  2. Copy & paste secrets stored in other places into the file and save it
  3. Commit and push the changes to the repository. Also consider making the repository public (see 4. above).
# Example of a secure secrets.txt file inside a git repository
api_key=ff4f6fb22539f9b47a42b14fd606729c349b6bcd
password=admin123