In software development it is common practice to use a secret manager like Vault instead of hardcoding (exposing) credentials to code/things files. Does openHAB support any type of secret manager? Searching for “secret manager” only brings up topics about openHAB cloud.
@darkspirit510 Do you use Hashicorp Vault? If so, do you have an existing home implementation? Or where would you run it? On your OH2 machine, Docker, or a separate server? Just curious for my own research. I’ve used Vault for work and it’s great.
I totally see your point, @Bruce_Osborne. Most credentials in my openHAB configuration are just used in my home. But I was thinking about adding Apple devices to do specific actions (like press button to find my phone). The credentials in this case are valid outside of my home. You could also apply this to things like CalDAV binding or telegram publishing (okay, this is limited issue). Those are at least the things that come to my mind.
I do not want to give my credentials to a cloud service just to have them disappear. These people who bought this device new in 2017 or subsequent will now have a useless device.
Vault can be hosted on premise though and does not need to be in the public cloud. Like @darkspirit510, I also have some devices that require credentials for devices that are connected to the internet that I need to control. I have those all on a separate VLAN (NoT) vs my local devices on VLAN (IoT) that do not need internet access.
I’ve got a bit of a complicated setup for my openHAB, but I have a repo that contains my config files that are also templates. When changes happen to these files, it triggers a job to run that rebuilds the configs and injects the secrets. It’s worked really well for me so far.