Sharing Secrets
This document is intended to help you decide how to share confidential information with others. It describes in some detail the various trade-offs, assumptions, and risks associated with each approach.
If even that is too much work for you then: for secrets in use by services and systems, use your preferred Key Management System for secrets used by humans, use a team password manager
The best way to keep a secret a secret is to not share it. However, it is frequently necessary to share a secret with some parties: you may wish to provide a password to a social media account to the people in your organization responsible for managing that account, you may need to share an access token for an API with a team of developers, or you may need to provide a secret TLS key to all the systems serving HTTPS.
Types of Secrets Secrecy in Transit and Protection at Rest Secret Revocation and Rotation Some Assumptions Sharing Options Don't use a secret Exchange secrets over the phone Use your Key Management System Use a shared key store or password manager vault Use of client-side encrypted pastebin or similar service Use of a restricted Google doc Direct message in Slack or similar chat service Signal / WhatsApp / Apple Message Stashing a file on a shared computer with permissions Sending encrypted data via email Stashing an encrypted file in a code repository Using a third-party storage service like Dropbox, Box, etc.
