【数据安全】密钥库和密钥管理解决方案

A Kubernetes controller to watch changes in ConfigMap and Secrets and do rolling upgrades on Pods with their associated Deployment, StatefulSet, DaemonSet and DeploymentConfig – [✩Star] if you're using it!

https://github.com/trufflesecurity/trufflehog

Find and verify credentials

https://github.com/tink-crypto/tink-java

https://github.com/tink-crypto

A multi-language, cross-platform library that provides cryptographic APIs that are secure, easy to use correctly, and hard(er) to misuse. See also: https://developers.google.com/tink.

The Tink Cryptography Library is split into multiple repositories.

Tink implementation	Repository
Tink Java	tink-crypto/tink-java
Tink C++	tink-crypto/tink-cc
Tink Go	tink-crypto/tink-go
Tink Python	tink-crypto/tink-py
Tink Obj-C	tink-crypto/tink-objc

We provide a command line interface for key management, named Tinkey

We also provide integrations with various key management systems (KMS) and other systems.

Tink extension	Repository
Tink Java AWS KMS extension	tink-crypto/tink-java-awskms
Tink Java Google Cloud KMS extension	tink-crypto/tink-java-gcpkms
Tink Java apps extension	tink-crypto/tink-java-apps
Tink C++ AWS KMS extension	tink-crypto/tink-cc-awskms
Tink C++ Google Cloud KMS extension	tink-crypto/tink-cc-gcpkms
Tink Go AWS KMS extension	tink-crypto/tink-go-awskms
Tink Go Google Cloud KMS extension	tink-crypto/tink-go-gcpkms
Tink Go HashiCorp Vault KMS extension	tink-crypto/tink-go-hcvault

https://github.com/pac4j/pac4j

https://github.com/cryptomator/cryptomator

Multi-platform transparent client-side encryption of your files in the cloud

https://medium.com/@cyberlands.io/best-secrets-management-solution-hash…

Best Secrets Management Solution: Hashicorp vs KeyWhiz

Encrypting Confidential Data at Rest

https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/

https://kubernetes.io/docs/concepts/configuration/secret/

https://external-secrets.io/main/introduction/overview/

The External Secrets Operator extends Kubernetes with Custom Resources, which define where secrets live and how to synchronize them. The controller fetches secrets from an external API and creates Kubernetes secrets. If the secret from the external API changes, the controller will reconcile the state in the cluster and update the secrets accordingly.

https://cloud.yandex.com/en/services/lockbox

A service for creating and storing secrets in the Yandex Cloud infrastructure.

Create secrets in the management console or using the API.

https://walkingtree.tech/secrets-management-using-mozilla-sops/

As automation is taking place at a rapid pace, the areas where human intervention is involved are appearing as huge speed breakers. One such task is keeping the secret information with humans and providing necessary approvals as and when needed. This task does not involve a lot of logical thinking but the important aspect is keeping trustworthy information and using it for regular activity.

Keeping the secrets in a file and allowing access to information to a wider set of people will be a serious challenge. One way to solve this problem is to keep the secrets in a file but in an encrypted format and ensure only the target environment can decrypt. This way we can still allow the automation to happen and keep the environments secured.

In this blog, I will be touching upon the basics of securing secrets, introduce you to SOPS, explain to you how SOPS works and its effective use in building cloud-agnostic applications.