Hi Neil, I spoke at our lightning talks night last year on an implementation of SSSS - Shamir's Secret Sharing Scheme, which allows one to generate a encrypted object and n keys such that some number of those n keys are sufficient to recover the plaintext.
The slide and a link to video are at http://kmpeterson.com/special/bblisa-lightning13/ . There's an open-source project called OpenCA that's a possible answer to the second part of your question. I had considered implementing it at one point, but realized that I didn't need enough of the functionality to justify the investment. I'm not certain how active the project still is at this point. _KMP On 24 Mar 2014, at 10:49 , Neil Schelly <[email protected]> wrote: > I'm curious what experience others have with systems for sharing > secure secrets in their orgs. We've got collections of private keys > for SSL certificates, SSH authentication sessions, AWS credentials, > and more. They aren't all managed in a consistent fashion, which > means we've got different backup strategies and authentication > necessary to get to all of them, and of course none of it is as clean > as we'd like. > > Does anyone here have any experience with systems that make it easy to > keep secrets hidden while still allowing access to those who need it? > I'd love a system that can turn into something to create and sign SSL > keys via a self-service interface too, down the road, but I'm mostly > trying to create an easy enough alternative to putting sensitive keys > into code repositories when they don't know any better. It's hard to > tell people not to do that when the safe options really aren't very > good or very user friendly. > > Thanks for any pointers! > -Neil > > _______________________________________________ > bblisa mailing list > [email protected] > http://www.bblisa.org/mailman/listinfo/bblisa K. M. Peterson, Boston http://kmpeterson.com/resume 40 Stanton Road Contact information, calendar, Brookline, MA 02445-6839 LinkedIn, Twitter, IM, Skype: Phone: +1 617 731 6177 http://kmpeterson.com/contact _______________________________________________ bblisa mailing list [email protected] http://www.bblisa.org/mailman/listinfo/bblisa
