Sharing the key to a password vault securely
We have an application that holds a bunch of passwords in an encrypted vault for various purposes. What is the best practice for storing the key for that vault? There feels like there's a bootstrapping problem where the master key needs to be in our source code or accessible unencrypted somewhere, hence the bootstrapping issue.
The application is accessed by many different users who each have their own passwords, managed the normal hash+salt protected database way. I thought a sneak for this could be to store the password on each user encrypted with their password, but that also feels insecure, leaking too much information, and is also problematic when creating new users.
Try as I might, I can't find any best practices on this, turns out googleing "vault" gets a lot of Azure answers, but I'd like a platform-agnostic answer.
