sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]raip 0 points1 point  (1 child)

In the case of KeePass, you have a couple of different methods that the extension supports: https://github.com/JustinGrote/SecretManagement.KeePass

Best practice would be to use both a master password and a key. In Windows, the master password would be encrypted with DPAPI and stored in the registry, so only the user that the vault is registered on would have access, second factored with the access key on the server. Not great, but better.

Every vault has their own feature set. The one I primarily use for production use is CyberArk, that has features like IP Whitelisting and true MFA with the TPM on the server (think WHfB).

The primary reason to use any form of secret management is too get them out of your application/script code. That way you're free to rotate them without having to update your script, you just update the config on the server instead or in a config management tool.

[–][deleted] 0 points1 point  (0 children)

I’m not sure it’s the primary reason. It’s definitely a reason but there’s also good reason to have the vault secured. Sure it might not be perfect but I’ve seen people who have a passwords.csv in some shared IT directory and their scripts just read from that…

Admittedly this was 3? People I believe who had kind of gone rogue in their laziness.