Secrets Management

Managing credentials and sensitive configuration.

Overview

All secrets are centralized in ~/ravenhelm/secrets/ with restrictive permissions.

Directory Structure

secrets/
├── .env                    # Master environment file
└── ssh-keys/               # Service SSH keys (if any)

Permissions

chmod 700 ~/ravenhelm/secrets
chmod 600 ~/ravenhelm/secrets/.env

Master .env File

Contains all service credentials:

# AWS (Route 53)
AWS_ACCESS_KEY_ID=...
AWS_SECRET_ACCESS_KEY=...
AWS_HOSTED_ZONE_ID=...

# PostgreSQL
POSTGRES_USER=ravenhelm
POSTGRES_PASSWORD=...

# Redis
REDIS_PASSWORD=...

# Zitadel
ZITADEL_MASTERKEY=...

# API Keys
ANTHROPIC_API_KEY=...
OPENAI_API_KEY=...

Service Integration

Services access secrets via symlink:

cd ~/ravenhelm/services/<service>
ln -sf ../../secrets/.env .env

Docker Compose loads automatically:

services:
  myservice:
    env_file:
      - .env
    environment:
      - DB_PASSWORD=${POSTGRES_PASSWORD}

Generating Secrets

# Random 32-character string
~/ravenhelm/scripts/utils/generate-secret.sh 32

# Or manually
openssl rand -base64 32

# URL-safe
python3 -c "import secrets; print(secrets.token_urlsafe(32))"

1Password Integration

Secrets are backed up in 1Password vault ravenmask:

# Read secret
op item get "PostgreSQL" --vault ravenmask --fields password --reveal

# List items
op item list --vault ravenmask

Security Rules

Never commit secrets - secrets/ is in .gitignore
Never log secrets - Mask in application logs
Rotate regularly - Update compromised credentials
Backup encrypted - Never store unencrypted
Principle of least privilege - Minimal permissions

Overview​

Directory Structure​

Permissions​

Master .env File​

Service Integration​

Generating Secrets​

1Password Integration​

Security Rules​