'Storing secrets and credentials securely in GitLab

I am wondering if it's possible to store credentials like passwords, tokens and keys safely in my GitLab project.

Currently there are a bunch of Java files with some passwords stored in it for testing purposes. However, I don't want to push this information on my repo due to security reasons. I tried using environment variables in the project, but they only seem to work for the .gitlab-ci.yml file.

My question is does anyone use a vault like Hashicorps or Blackbox to encrypt sensitive information?

Thanks

version-controlgitlabgitlab-cicredentialshashicorp-vault


Solution 1:[1]

You can check out GitLab 12.9 (March 2020) which comes with:

HashiCorp Vault GitLab CI/CD Managed Application

GitLab wants to make it easy for users to have modern secrets management. We are now offering users the ability to install Vault within a Kubernetes cluster as part of the GitLab CI managed application process.

This will support the secure management of keys, tokens, and other secrets at the project level in a Helm chart installation.

See documentation and issue.

See also GitLab 13.4 (September 2020)

For Premium/Silver only:

Use HashiCorp Vault secrets in CI jobs

In GitLab 12.10, GitLab introduced functionality for GitLab Runner to fetch and inject secrets into CI jobs. GitLab is now expanding the JWT Vault Authentication method by building a new secrets syntax in the .gitlab-ci.yml file. This makes it easier for you to configure and use HashiCorp Vault with GitLab.

https://about.gitlab.com/images/13_4/vault_ci.png -- Use HashiCorp Vault secrets in CI jobs

See Documentation and Issue.

Solution 2:[2]

If you are not using environment variables in GitLab, then you are asking if it is possible to store secrets in GitLab. I have not done this myself, but I found this post about it:

https://embeddedartistry.com/blog/2018/03/15/safely-storing-secrets-in-git/

The author suggests three ways of storing secrets in git:

The author was using BlackBox, but was going to migrate to git-crypt. From a quick look at it, git-crypt looks like something that I could use myself.

Solution 3:[3]

FWIW GitLab doesn't mask the secrets from Hashicorp Vault native integration.

However, this integration can still be used to a benefit: it's easier to store, rotate and version control the secrets in the Vault and sync them into GitLab's project/group/instance secrets via i.e. TerraForm.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1
Solution 2 MrBerta
Solution 3 Denis Pisarev

Related Questions

Nuget - store packages in source control, or not?

Differences between git pull origin master & git pull origin/master

PLC Version Control

Visual Studio 2022 source control not showing changes

What does "replacing" mean in Tortoise SVN changelog?

How can I push a local Git branch to a remote with a different name easily?

How to handle folder of git submodule which is marked as "untracked" in the host repo?

Git in PHPstorm: Unstage files from Git (remove uncommited files from stage)

git reset asks 'more?'

Git: How to make outer repository and embedded repository work as common/standalone repository?

Undo IntelliJ Smart Checkout

How to debug Syncing lock on pushing the current branch to Visual Studio Team Services

How to "time travel" git repository back in revisions?

Is there a way to sort Source Control Providers in VS Code?

How to change the owner of a PR on GitHub / How to commandeer an open GitHub PR