Security

I used KeePass for years. Then 1Password. Then Bitwarden. All decent tools, but they always felt… like too much. Too much UI, too many features, too much hassle to integrate properly into my workflow. Then I discovered pass. A password manager that does exactly what the name says: store passwords. Nothing more, nothing less. What is pass? Pass is the “standard unix password manager.” It’s a shell script of ~700 lines that stores passwords as GPG-encrypted files in a directory. That’s it. No database, no proprietary format, no built-in cloud sync. ...

GPG is one of those tools everyone “should learn someday” but nobody wants to. The documentation is overwhelming, the terminology confusing, and the error messages cryptic (pun intended). But GPG is also essential. It’s the foundation for pass, for signed git commits, for encrypted email, and for verifying software downloads. If you’re serious about security, you can’t avoid it. This is the guide I wish I had when I started. What is GPG actually? GPG (GNU Privacy Guard) is an implementation of the OpenPGP protocol. It does two things: ...

When everything has cluster-admin, nothing is secure. Kubernetes RBAC (Role-Based Access Control) exists to answer one question: who can do what to which resources? Most clusters answer incorrectly: “everyone can do everything.” This isn’t just a security problem — it’s a resilience problem. When a service account gets compromised, how much damage can it do? When someone runs the wrong command, what’s the blast radius? Least privilege limits that radius. ...

You scanned your images with Trivy. You enforced policies with Kyverno. Your workloads have cryptographic identity via SPIFFE. But what happens after deployment? What if a container gets compromised at runtime? What if an attacker exploits a zero-day? Prevention isn’t enough. You need detection. Falco is a runtime security tool that monitors system calls in your cluster. It sees everything containers do — file access, network connections, process execution — and alerts when something looks wrong. ...

How does Service A know that Service B is actually Service B? In traditional networks, we trusted network location. If traffic came from the right IP, it was legitimate. Zero trust killed that assumption. Now every service must prove its identity, every time, regardless of network position. SPIFFE (Secure Production Identity Framework for Everyone) is a standard for service identity. SPIRE is its production-ready implementation. Together, they give every workload a cryptographic identity — automatically, without static secrets. ...