I have a very simple SaaS (not on production yet) and I wonder what are the best practices to handle secrets (e.g., where/how to store my database password, api keys, etc.)
At first I thought: Ok, I would have two files ".secrets" and ".secrets.dev" where only the latter is commited to my git repo. Now, sure I need the ".secrets" file to exist in my production server... how do I upload it there? Perhaps using sftp is enough as part of my "deploy" script? It would upload the ".secrets" file from my machine to my production server.
I also thought about commiting ".secrets" to my git repo: every secret in that file would be encrypted with PGP though (perhaps I could encrypt the whole file)... but then my production server would need my GPG private key to decrypt the secrets. I would need to upload my private key from my machine to my production server as well... I don't see much of a difference with the previous approach.
I have heard about Vault and similar tools, but honestly these tools seem a bit "too much" for me: I'm a solo developer building a monolithic service. How do developers in the same circumstances handle secrets?
When you deploy your project, you 1) setup your host if necessary 2) install your software 3) install your config.
I recommend ansible for automating some of this. Check out a tutorial for ansible for setting up mysql or something similar, and you should get the gist of it. In this case, mysql is install from an RPM or .deb (or maybe in a docker container) rather than from a git project, but the abstraction is the same.