In May 2018 something happened to the internet, GDPR came online, and suddenly users in the EU had a lot more rights to their digital privacy, which is awesome. But on the flip side the implementation of the GDPR and procedures regarding it, are very vague, and were meant to be written as we go along, with whatever comes up as best practices. Books and talks have been written and given about the data encryption, problems encountered with event sourcing systems, questionaries about the purposes of collecting user data… So many words, and hours of many lives spent… Yet, something has been overlooked, something so basic, we do not even notice it. If you are working on an enterprise class project, or on other large projects, you might have an infra team that would deal with this and tell you what you need to do to be secure (at least good ones will) But… if you are working on smaller projects, and you have mom and pop shops to support, you deserve the same level of security bigger projects have… I am talking about secrets and credentials management for your application, the most overlooked aspect of any application. This is a talk in three acts. In first act I am going to give an overview of the problems we all encounter, or fear we will encounter, about current common patterns, and why they might be bad. In second act I will talk about what we can do to improve this, about crypto and security. In the last act I will give an overview of the tools available, and a demo of HashiCorp Vault and how it can help your application. But don’t be fooled, you will hear about the good stuff, but you will hear about downsides as well.