We uses
D the same approach for a while. Pass/gopass will do that for you. However, the downside here is that it quickly gets unwieldy as you’ll end up with a relatively large vaults. And you can’t really remove people, they can always keep and decrypt old versions of the vault, that means that you do have to rotate all of the secrets in that vault manually if someone leaves. And then, there’s also the support cost for non-tech people. GPG on windows is a particular pain.
You’ll have a similar effect in all password storage solutions, but since adding/removing people from vaults is much simpler, you end up with smaller, more fine-grained vaults and less secrets to rotate. Also, SSO, SCIM, tying the password management into a proper group/authentication system will help.
> And you can’t really remove people, they can always keep and decrypt old versions of the vault, that means that you do have to rotate all of the secrets in that vault manually if someone leaves. And then, there’s also the support cost for non-tech people. GPG on windows is a particular pain.
In a way doesn't this just more directly reflect the reality that anyone you've ever given access to a password may have made a private copy of it? It's not actually safe to leave passwords unrotated when someone who had access to them leaves.
Absolutely. My point is that pass/gopass in practice lead to larger vaults, so.you need to rotate more passwords. And more advanced password managers offer assistance for that task, which the more basic ones do not.
You’ll have a similar effect in all password storage solutions, but since adding/removing people from vaults is much simpler, you end up with smaller, more fine-grained vaults and less secrets to rotate. Also, SSO, SCIM, tying the password management into a proper group/authentication system will help.