Neil Schelly wrote: > Does anyone here have any experience with systems that make it easy to > keep secrets hidden ...
Ugh, yes I have experience, but it's mostly with yelling at peers and/or trying to explain to senior-execs why this is a hard-to-solve problem that no open-source project has ever tacked. I did publish the beginnings of such a project to my github last year; you can check it out at: rubygems.org/desviar. Now that I need to take it to the next level, it's a hard enough problem that it probably has to be funded by my workplace rather than open-sourced. I've actually got an open checkbook at work, though, for a solution to this: if *anyone* here knows of a decent general-purpose (i.e. not AWS-only) solution to the cloud-API key management problem be it open or closed source, I'm all ears. I came up with a list of something like 30 or 40 different types of API keys that need managing; it's not just a question of securely storing them: the harder problem is automating the rotation of such keys. That implies scripts that connect to a vendor, authenticate using the current or a higher-level admin key, retrieve a new key, store it and revoke the old one. The fire-drill of leaked keys gets really old after just a couple of times: someone posts a Jira or an email containing a sensitive key, some boss notices, another boss declares that all related keys be revoked, and two days later my systems are finally kinda-sorta back to normal. -rich _______________________________________________ bblisa mailing list [email protected] http://www.bblisa.org/mailman/listinfo/bblisa
