Re: Secure deploy of keys
Tks. Too bad I fear it's not applicable to my scenario. First because the network is public. Second because ssh is just one of the secrets I have to distribute (others are usually SaltStack key and Gluster certificate). I'm thinking that probably this is one of the few cases where a TPM is actually useful... GPG encrypted tarballs can be a good solution if there's a trusted person that can insert the password (or a tpm that can decrypt it) to complete the install... Diego Il 13/12/2022 20:44, Andrew Ruthven ha scritto: Hey, On Tue, 2022-12-13 at 14:47 +0100, Diego Zuccato wrote: What's the recommended way to deploy (or re-deploy) security-sensitive objects (just to say one: private ssh key to avoid client warnings when redeploying a server)? For things like ssh host keys I have a command that we run which copies them into the NFSROOT, and then a cron job that runs every minute that removes "expired" files from the NFSROOT. Given our NFSROOT is on a restricted network I feel that is sufficient. I know someone who had GPG encrypted tarballs, but that required entering a passphrase during the build process. Another option for ssh which I am considering is using PKI for it. Then servers and clients just need to trust a CA. Cheers, Andrew -- Andrew Ruthven, Wellington, New Zealand and...@etc.gen.nz | Catalyst Cloud: | This space intentionally left blank https://catalystcloud.nz | -- Diego Zuccato DIFA - Dip. di Fisica e Astronomia Servizi Informatici Alma Mater Studiorum - Università di Bologna V.le Berti-Pichat 6/2 - 40127 Bologna - Italy tel.: +39 051 20 95786
Re: Secure deploy of keys
Hey, On Tue, 2022-12-13 at 14:47 +0100, Diego Zuccato wrote: > What's the recommended way to deploy (or re-deploy) security- > sensitive > objects (just to say one: private ssh key to avoid client warnings > when > redeploying a server)? For things like ssh host keys I have a command that we run which copies them into the NFSROOT, and then a cron job that runs every minute that removes "expired" files from the NFSROOT. Given our NFSROOT is on a restricted network I feel that is sufficient. I know someone who had GPG encrypted tarballs, but that required entering a passphrase during the build process. Another option for ssh which I am considering is using PKI for it. Then servers and clients just need to trust a CA. Cheers, Andrew -- Andrew Ruthven, Wellington, New Zealand and...@etc.gen.nz | Catalyst Cloud: | This space intentionally left blank https://catalystcloud.nz |
Re: Secure deploy of keys
Hi all, What's the recommended way to deploy (or re-deploy) security-sensitive objects (just to say one: private ssh key to avoid client warnings when redeploying a server)? One solution that comes to my mind is to generate a local GPG key and then authorize it for using a pass store (https://www.passwordstore.org/) before running a softupdate. This is not ideal, since there are no secrets available in the initial installation, though, but prevents leaking any sensitive data. Best, Max
Re: Secure deploy of keys
Hello, I would be very interested if you find any solutions. By design, the FAI config space has to be somewhere where it is accessible without access control (anonymous NFS or whatever), and everything within it obviously has to be readable. I guess you will need to find other solutions. As for the SSH keys, I am currently trying to publish SSH keys in DNS so clients can verify them. Haven't tested yet what happens when the client already has a (different) key in its known_hosts file, though. Bye, Andreas Am 13.12.22 um 14:47 schrieb Diego Zuccato: > Hello all. > > What's the recommended way to deploy (or re-deploy) security-sensitive > objects (just to say one: private ssh key to avoid client warnings when > redeploying a server)? > > TIA
Secure deploy of keys
Hello all. What's the recommended way to deploy (or re-deploy) security-sensitive objects (just to say one: private ssh key to avoid client warnings when redeploying a server)? TIA -- Diego Zuccato DIFA - Dip. di Fisica e Astronomia Servizi Informatici Alma Mater Studiorum - Università di Bologna V.le Berti-Pichat 6/2 - 40127 Bologna - Italy tel.: +39 051 20 95786
