Last month, we open-sourced Infisical (<a href="https://github.com/Infisical/infisical">https://github.com/Infisical/infisical</a>) - a simple, end-to-end encrypted tool to sync environment variables across your team and infrastructure. You can use it to store environment variables and inject them into your applications locally or into CI/CD and production infrastructure. It can be used with any language/framework and is platform independent with a super easy setup.<p>We know secret managers exist but, in our experience, they’re too complicated, not comprehensive, not user-friendly, or a mix of all three — other nicer ones are closed-source and don’t have self-hosted options available. That’s why we’re on a mission to make secret management more accessible to every developer — not just security teams.<p>We’ve launched this repo under the MIT license so any developer can use the tool. The goal is to not charge individual developers. We make money by charging a license fee for some future enterprise features as well as providing a hosted version and support.<p>In the coming weeks, we plan to add features like key rotation, access logs + more integrations. We’d love to hear your thoughts and any feature requests!<p>Give it a try (<a href="https://github.com/Infisical/infisical">https://github.com/Infisical/infisical</a>), and let us know what you think!<p>Main website: <a href="https://infisical.com/" rel="nofollow">https://infisical.com/</a>
Environment variables are not a good way to pass secrets around. For a list of reasons see this 2017 blog post: <a href="https://blog.diogomonica.com//2017/03/27/why-you-shouldnt-use-env-variables-for-secret-data/" rel="nofollow">https://blog.diogomonica.com//2017/03/27/why-you-shouldnt-us...</a><p>The TLDR is, first environment variables are visible to every process running as the same user on the system (try 'ps eww') and second they leak very easily in debug logs, etc.
I didn't see any reference to an external security audit on your website, so have you done one and if not are you planning to? All serious products in this space publish these third-party audits and sometimes certifications.<p>See the page for Vault: <a href="https://www.hashicorp.com/vault-compliance" rel="nofollow">https://www.hashicorp.com/vault-compliance</a><p>Or 1Password: <a href="https://support.1password.com/security-assessments/" rel="nofollow">https://support.1password.com/security-assessments/</a><p>As the comment from jbotz mentioned, exposing secrets in environment variables seems like a major issue and it would be one of the first points covered in such an audit.
Ahhh, a self-hosting option. I might actually take a look at it!<p>I'm so tired of systems handling highly-confidential information (such as passwords and secrets material) being Cloud-only. Or even cloud-first.
This looks great! But after looking through the docs and Github, I don't know what the architecture is beyond there is a CLI and a browser UI that interact with some sort of central service.<p>The main thing stopping me from using Vault is that it can become a central point of failure. If the cloud provider secret managers are down then its likely that something else in the cloud is having major issues as well so from an uptime perspective and easy of operations that has always seemed a safe approach, although the pricing is kind of outrageous. But just storing (e2e encrypted, etc) in cloud object storage is also an option. Berglass for example gives the option of storing in the secret manager or in cloud storage directly: <a href="https://github.com/GoogleCloudPlatform/berglas">https://github.com/GoogleCloudPlatform/berglas</a>
Is there an API to programmatically retrieve secrets or is it CLI only?<p>On a previous project I used the HVAC python library to get secrets from Vault and configure a Django project. (thus not using env vars at all)
It would be nice to be able to do the same with Infisical.
Hey everyone!<p>Stoked to show y'all what we've been working on this past few months.<p>Appreciate your feedback and will be hanging out here to answer any questions :)
I just can’t get over using environment variables for this type of stuff. An attacker can bootstrap a lot just from compromising an ssh login. Platforms like JWS had the right idea. You used tokens in config files and the platform vault knew how to inject the value at runtime. Nothing was exposed in the environment variables or run command.
Congrats on the launch!<p>The first thing that strikes me is the flat organizational structure of secrets. We have at least 45 KV secrets per environment in Vault organized in a directory structure over at Rivet. Managing access policies and organizing these without a directory structure would not be fun.
<p><pre><code> HN Title: Infisical – open-source secrets manager
Github text: Infisical is an open-source, end-to-end
encrypted tool to sync environment variables across
your team and infrastructure.
</code></pre>
Which does it do? Does it manage secrets, or does it sync environment variables?
Great !<p>I will have to have a play with this.<p>After losing a laptop I've been wanting setting to manage env vars for local dev projects that keeps on them encrypted at rest.