Secure deploy of keys
Diego Zuccato
diego.zuccato at unibo.it
Wed Dec 14 06:39:32 CET 2022
Tks.
Too bad I fear it's not applicable to my scenario.
First because the network is public. Second because ssh is just one of
the secrets I have to distribute (others are usually SaltStack key and
Gluster certificate).
I'm thinking that probably this is one of the few cases where a TPM is
actually useful...
GPG encrypted tarballs can be a good solution if there's a trusted
person that can insert the password (or a tpm that can decrypt it) to
complete the install...
Diego
Il 13/12/2022 20:44, Andrew Ruthven ha scritto:
> Hey,
>
> On Tue, 2022-12-13 at 14:47 +0100, Diego Zuccato wrote:
>> What's the recommended way to deploy (or re-deploy) security-sensitive
>> objects (just to say one: private ssh key to avoid client warnings when
>> redeploying a server)?
>
> For things like ssh host keys I have a command that we run which copies
> them into the NFSROOT, and then a cron job that runs every minute that
> removes "expired" files from the NFSROOT. Given our NFSROOT is on a
> restricted network I feel that is sufficient.
>
> I know someone who had GPG encrypted tarballs, but that required
> entering a passphrase during the build process.
>
> Another option for ssh which I am considering is using PKI for it. Then
> servers and clients just need to trust a CA.
>
> Cheers,
> Andrew
>
> --
>
> Andrew Ruthven, Wellington, New Zealand
> andrew at etc.gen.nz |
> Catalyst Cloud: | This space intentionally left blank
> https://catalystcloud.nz |
>
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786
More information about the linux-fai
mailing list