This document specifies Gratipay's practices around managing secrets such as passwords and keys.
Some less-sensitive passwords are stored in and shared through 1Password.
For some services we use their multiple user feature to distribute access.
Our most sensitive passwords are held by Chad Whitacre.
Third-party API keys are stored in Heroku as environment variables.
We encrypt some information before storing it, and we take OWASP-recommended steps to ensure that our secret keys are protected from unauthorized access. Here is the procedure for rekeying our encrypted data, which is to take place twice a year (based on M3AAWG's recommendation), in April and October:
Generate a new key with
./bin/keygen.py. (This doesn't need environment configuration, so it's fine to run locally.)
Add the new key to the front of
CRYPTO_KEYS(space-separated) in the Heroku application configuration (here's the web interface).
./bin/rekey.py. If you lose the new key after this step, we're hosed. We're also hosed if you leak it. (This does need environment configuration, so the easiest thing is to
heroku run bashand run it there.)
rekey.pyfails due to a network error or something like that, don't panic! Simply run it again, until it exits with "0 record(s) rekeyed."
Remove the old key from the end of
CRYPTO_KEYSin the Heroku application configuration. This is the risky part. Be very careful not to remove the first key.
Check that we have significantly less than 300 exobytes of data under encryption. If we don't, then congratulations: you live in the future.