If you want to keep secrets, and work on a mostly remote site, it seems you have a couple options.
- encrypt the vault with gpg and run from your (hopefully) safe laptop and hope the connection is good
- run it in tmux at the remote site, but possibly expose your vault credentials.
- type a symmetric passphrase over ssh means keyboard timing attack. so definitely not.
- remote gpg management is a bit scary too. you may trust your co workers, but you never know what their cats are up to.
keepassx can type into a window, so thats a possibility.
how do you all handle this?
For us the big problem is windows server(as usual), because they dont have ssh, and winrm is a mess.