Where should a team store server credentials

Your issue is quite common and in general referred to as Privileged Account/User/Identity Management short PAM/PUM/PIM/PxM.

Keepass for sure is a solution used quite often, but from security, compliance and audit perspective not the best one. Since you are a team of five it's hard to tell if you have to comply with any policies. But if you have to, a commercial solution would be something to look into. It addresses more than just the password management and sharing passwords across a team, but also individual accountability, reporting and such.

So really it depends on your requirements, what way to go. From my experience I can tell you that there are many different ways used in enterprise environments, starting from paper in a secure location, down to files on shares. Especially regarding files on shares, e-mails or other 'online' storage always remember that there might be some administrator being able to access those who is not intended to.

HTH.


We are using a gnupg crypted plaintext file, which is distributed & versioned by git. Every Admin can decrypt either with

  1. a common known key (shared secret - maybe more risk in case of dismission) or
  2. each admin can decrypt with his own key (I think, the risk of secret leaking will be comparable)

Git will save you in case of wrong configured encryption operations.

For usage on desktop I can only suggest tools for kubunutu:

  • List item kgpg is a nice tool in trybar with an small integrated editor for decrypting e.g. the credentials file
  • Kleopatra can en-/decrypt the clipboard

I can imagine, that there are similar tools for windows. You can visit https://www.gnupg.org/related_software/swlist.html for a first overview