Inside Gratipay

This is Gratipay's internal company portal. First time here? Welcome! Start at the top. :-)

Keep Secrets

This document specifies Gratipay's practices around managing secrets such as passwords and keys.


Some less-sensitive passwords are stored in and shared through 1Password.

For some services we use their multiple user feature to distribute access.

Our most sensitive passwords are held by Chad Whitacre.

API Keys

Third-party API keys are stored in Heroku as environment variables.

Encryption Key

We encrypt some information before storing it, and we take OWASP-recommended steps to ensure that our secret keys are protected from unauthorized access. Here is the procedure for rekeying our encrypted data, which is to take place twice a year (based on M3AAWG's recommendation), in April and October:

  1. Generate a new key with ./bin/ (This doesn't need environment configuration, so it's fine to run locally.)

  2. Add the new key to the front of CRYPTO_KEYS (space-separated) in the Heroku application configuration (here's the web interface).

  3. Run ./bin/ If you lose the new key after this step, we're hosed. We're also hosed if you leak it. (This does need environment configuration, so the easiest thing is to heroku run bash and run it there.)

  4. If fails due to a network error or something like that, don't panic! Simply run it again, until it exits with "0 record(s) rekeyed."

  5. Remove the old key from the end of CRYPTO_KEYS in the Heroku application configuration. This is the risky part. Be very careful not to remove the first key.

  6. Check that we have significantly less than 300 exobytes of data under encryption. If we don't, then congratulations: you live in the future.

Table of Contents