该笔记将记录:进行密码管理的方法,以及相关问题的处理方案;
认识
现在,我们有太多的密码了。今天注册了这个网站,明天注册了那个网站;今天这个卡密,明天那个口令。为了密码的安全性,我们们对于不同的站点使用了不同的密码。这势必导致我们们需要记住一堆的密码。Password Manager,Secret Management System,其用于解决该类问题。
组成
KMS vs. HMS vs. Password Manager
Why don’t password managers use Key Management Services (KMS)? : r/crypto
KMS is about managing the lifecycle and generation of keys.
HSM (Hardware Security Module) is a dedicated, physical hardware device for securing cryptographic keys.
Secure storage/generation are add ons, but not requirements that a HSM provides.
Also the use cases are different between a KMS and a password manger.
So that’s why they’re different products even though In theory are similar things.
构建
AWS Secrets Manager
AWS Parameter Store
Alibaba Cloud
Volcengine
Azure Key Vault
Google Cloud Secret Manager
HashiCorp Vault
IBM Secrets Manager
Github Actions Secrets
Oracle Vault
Yandex Certificate Manager
Yandex Lockbox
BeyondTrust
Bitwarden Secrets Manager
Chef
Cloud.ru Secret Manager
CyberArk Conjur
Device42
Kubernetes
Akeyless
GitLab Variables
1Password Connect Server
1Password SDK
Webhook
Fake
senhasegura DevOps Secrets Management (DSM)
Doppler
Keeper Security
Cloak End 2 End Encrypted Secrets
Scaleway
Delinea
Secret Server
Passbolt
Pulumi ESC
Onboardbase
Password Depot
Fortanix
Infisical
Previder
OpenBao
ngrok
密钥管理系统 | Key Management Service | KMS
密钥管理系统 (Key Management Service,简称:KMS)是密钥管理和数据加密服务平台。提供简单易用的加密接口,KMS帮助用户轻松管理密钥、保护云上核心数据的安全。同时极大降低用户自行部署、运维密码基础设施的采购、研发成本。帮助业务轻松满足监管和合规需求。
Teampass
- 官网:https://teampass.net/
- 文档:https://documentation.teampass.net/#/?id=main
- 仓库:https://github.com/nilsteampassnet/TeamPass
KeepassXC
- 官网:https://keepassxc.org/
- 文档:https://keepassxc.org/docs/
- 仓库:https://github.com/keepassxreboot/keepassxc/
Vaultwarden
官网:https://github.com/dani-garcia/vaultwarden
文档:https://github.com/dani-garcia/vaultwarden/wiki
仓库:https://github.com/dani-garcia/vaultwarden
Features:
Organizations support
Attachments and Send
Vault API support
Serving the static files for Vault interface
Website icons API
Authenticator and U2F support
YubiKey and Duo support
Emergency Access
Bitwarden
官网:https://bitwarden.com/
文档:https://bitwarden.com/help/
仓库:https://github.com/bitwarden
参考 Install and Deploy 文档,进行服务自建,以体验其功能;
体验:
1)自建服务只能个人使用,不能在团队和组织内使用。这不能满足我们的需求;
2)遇到提示 Error: Cannot read property ‘importKey’ 错误,需要 HTTPS 服务(Cannot read property ‘importKey’ of null)
3)HTTPS 证书配置路径为 ./bwdata/ssl 目录,这与 certbot 的 /etc/letsencrypt/ 目录集成存在困难(或许可以绑定挂载过去);
Q:是否支持多用户(作为团队密码管理)使用?
A:否,Free Bitwarden organizations allow for two users to securely share organization-owned credentials. You might use a free organization to share with friend or partner, or to test organizations before upgrading to a different plan.
R:Organizations Quick Start | Bitwarden Help Center
性质
WIP
应用
个人密码管理工具 | for Personal
- KeepassXC
团队密码管理工具 | Team Password Managers | for Team
Recommendations on Team Password Managers | Access Now Digital Security Helpline Public Documentation
Passbolt | Open source password manager for teams
passbolt/passbolt_api: Passbolt CE Backend, a JSON API written with Cakephp
我们很多第三方服务相关的帐号、密码、TOKEN、SECRET、URL(Secret),这些都需要进行记录。我们还会为团队成员创建各种帐号,而且并不是所有内部服务都支持 LDAP 集成。我们还有很多自己服务,管理员的帐号密码也需要记录。某些特殊主机的帐号密码,也需要独立记录;
除此之外,凭证信息如何下发,团队成员之间的如何共享,信息修改后如何通知,凭证信息的日常备份,这些都需要有工具很好的支持;
该笔记将记录:能满足这些要求的、适合团队使用的密码管理工具,以及相关问题的解决方案;
Passbolt | Open source password manager for teams
- Teampass
- Vaultwarden
- Bitwarden