Hey, On Tue, 2022-12-13 at 14:47 +0100, Diego Zuccato wrote: > What's the recommended way to deploy (or re-deploy) security- > sensitive > objects (just to say one: private ssh key to avoid client warnings > when > redeploying a server)?
For things like ssh host keys I have a command that we run which copies them into the NFSROOT, and then a cron job that runs every minute that removes "expired" files from the NFSROOT. Given our NFSROOT is on a restricted network I feel that is sufficient. I know someone who had GPG encrypted tarballs, but that required entering a passphrase during the build process. Another option for ssh which I am considering is using PKI for it. Then servers and clients just need to trust a CA. Cheers, Andrew -- Andrew Ruthven, Wellington, New Zealand and...@etc.gen.nz | Catalyst Cloud: | This space intentionally left blank https://catalystcloud.nz |
