Tks.
Too bad I fear it's not applicable to my scenario.
First because the network is public. Second because ssh is just one of
the secrets I have to distribute (others are usually SaltStack key and
Gluster certificate).
I'm thinking that probably this is one of the few cases where a TPM is
actually useful...
GPG encrypted tarballs can be a good solution if there's a trusted
person that can insert the password (or a tpm that can decrypt it) to
complete the install...
Diego
Il 13/12/2022 20:44, Andrew Ruthven ha scritto:
Hey,
On Tue, 2022-12-13 at 14:47 +0100, Diego Zuccato wrote:
What's the recommended way to deploy (or re-deploy) security-sensitive
objects (just to say one: private ssh key to avoid client warnings when
redeploying a server)?
For things like ssh host keys I have a command that we run which copies
them into the NFSROOT, and then a cron job that runs every minute that
removes "expired" files from the NFSROOT. Given our NFSROOT is on a
restricted network I feel that is sufficient.
I know someone who had GPG encrypted tarballs, but that required
entering a passphrase during the build process.
Another option for ssh which I am considering is using PKI for it. Then
servers and clients just need to trust a CA.
Cheers,
Andrew
--
Andrew Ruthven, Wellington, New Zealand
and...@etc.gen.nz |
Catalyst Cloud: | This space intentionally left blank
https://catalystcloud.nz |
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786
