Skip to main content

Decide on Vault/1Password Strategy

We need to determine the best strategy for using 1Password to securely share sensitive information, such as passwords and integration keys, with individuals and teams during engagements with DevOps Accelerator. This decision aims to ensure a secure and efficient method for exchanging secrets while considering compatibility with AWS root account credentials.

Problem

We need a secure (cryptographic) way to share sensitive information (e.g. passwords, integration keys, credit card numbers, etc) with individuals and teams. Ideally, the solution works with AWS so we can secure root account credentials.

1Password is a great choice for sharing secrets with teams. The downside is it doesn't support cryptographically secure means of sharing secrets with individuals. It also does not integrate with terraform.

Please see Decide on MFA Solution for AWS Root Accounts for additional context on why we recommend 1Password.

Supported Options

caution

During the course of your engagement with DevOps Accelerator we require using 1Password as the secrets storage for exchanging secrets between teams. Customer is free to use whatever system internally and copy secrets out of 1Password.

You can share a private vault with our team for the duration of this engagement.

Use DevOps Accelerator’s 1Password (Temporary Alternative)

We can share a private vault with your team for the duration of this engagement. That way your company can work on procuring the best solution for your team. We recommend this approach if your team does not already have a viable solution and procurement of 1Password will delay the engagement.

  • AWS Secrets Manager is a perfect choice if you're launching your start-up or have small number of secrets to manage but tight regulations - PCI DSS, HYTRUST, ISO 27001 and others.
  • Hashicorp Vault can be wiser choice if you need multi-cloud or hybrid cloud options or will need to manage thousands of secrets

Excluded Options

PGP / GPG / PKE

Public Key Encryption is a great way to securely exchange secrets, but it's overly complicated for non-engineers. Anything that’s complicated or not the path-of-least-resistance tends to lose in the long run.

Slack

Slack does not provide any secure means of exchanging secrets. It should not be used.

LastPass

LastPass does not provide a means for shared TOTP, so we cannot work in a collaborative environment.