Secure deploy of keys
Andrew Ruthven
andrew at etc.gen.nz
Tue Dec 13 20:44:09 CET 2022
Hey,
On Tue, 2022-12-13 at 14:47 +0100, Diego Zuccato wrote:
> What's the recommended way to deploy (or re-deploy) security-
> sensitive
> objects (just to say one: private ssh key to avoid client warnings
> when
> redeploying a server)?
For things like ssh host keys I have a command that we run which copies
them into the NFSROOT, and then a cron job that runs every minute that
removes "expired" files from the NFSROOT. Given our NFSROOT is on a
restricted network I feel that is sufficient.
I know someone who had GPG encrypted tarballs, but that required
entering a passphrase during the build process.
Another option for ssh which I am considering is using PKI for it. Then
servers and clients just need to trust a CA.
Cheers,
Andrew
--
Andrew Ruthven, Wellington, New Zealand
andrew at etc.gen.nz |
Catalyst Cloud: | This space intentionally left blank
https://catalystcloud.nz |
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.uni-koeln.de/pipermail/linux-fai/attachments/20221214/fae1a5b2/attachment.html>
More information about the linux-fai
mailing list