Sharing secrets with teams

A.K.A. “Goodbye password managers, hello Sniptt”

Here at Sniptt, we have lost count of how many times a colleague has asked us to securely share an API key, a database password, or an environment configuration file and we have not had an easy-to-use tool at our disposal that would help us do this efficiently.

We have worked with many different engineering teams over the past few years, and when it comes to sharing secrets what we have seen is that most small to medium-size teams eventually decide to either:

  1. not bother about “excessive” security measures and “just use Slack”, or

Undoubtedly, there are teams who have successfully adopted HashiCorp Vault, SOPS, or similar, but the reality is that most advanced solutions available today are simply too cumbersome to configure and difficult (or expensive) to maintain.

What’s wrong with password managers, anyway?

Like many of you, we use password managers on a daily basis to help us create and manage passwords for (primarily) web-based services such as ProtonMail or GitHub.

However, when it comes to sharing secrets with others quickly and securely, we have found that password managers fall short in 3 main categories:

  1. User/developer experience; Password manager UIs are often unintuitive and clunky, and sometimes require you to install browser extensions.

Sniptt to the rescue

Naturally, we started looking for a CLI that would allow us to share end-to-end encrypted content with our colleagues straight from the terminal while also offering great user/developer experience but, to our surprise, there were not too many tools out there that would tick all the right boxes.

We decided to build Sniptt — a service designed exclusively for developers and development teams to help quickly and securely share secrets such as service passwords, keys, environment config files, and more.

Here is a taste of what you get out-of-the-box with the Snip CLI:

1. It’s easy to configure

Whether you are setting up a new account or registering a new device for an existing account, the onboarding experience is fast, smooth, and straightforward. It’s dead simple, no BS 😎.

Example: First-time account setup
Example: Device registration (existing account)

2. It’s easy to use

The CLI does few things, and it does them well. It is intuitive, interactive, but also flexible enough that it can support more complicated use cases such as scripting and automation.

Example: Using Vaults to share secrets with team members
Example: Advanced usage with scripting

3. It’s open source

While Sniptt is not quite yet at the level of the Signal protocol, the client code is open source and therefore can be checked, contributed to, and improved overtime by people from around the world.

What else can I do with Sniptt?

Our new favourite feature is the ability to share a secret via “one-time URL”. The secret can be viewed by the recipient only once and then it will be self-destructed.

Example: One-time secret sharing via a URL

In fact, this use-case has become so popular that we decided to write a light-weight, zero-configuration CLI in Go to help you do just this: create end-to-end encrypted secrets that you can securely share with others via a one-time URL.

We called it ots (stands for “one-time secret”) and you can find it at https://github.com/sniptt-official/ots.

The ots CLI in action

There’s also some other exciting features coming, most notably cryptographically verifiable history of all changes to accounts, secrets and vaults over time.

How do I get started?

Simply check the Getting Started docs for installation instructions, and then run snip configure.

You can also configure multiple accounts on the same device, simply use snip configure --profile acme, snip configure --profile personal, and so on — you get the idea 😎.

Sounds exciting? Join us and others in contributing to the Sniptt projects on GitHub!

We believe there should be a better way for teams to manage secrets, so we decided to build a new kind of secret manager. Say goodbye to password managers!