[NZLUG] Key Management Service

Guy K. Kloss guy at kloss.nz
Wed Jul 20 09:17:40 NZST 2016

Hi all,

On 19/07/16 16:45, Jim Cheetham wrote:
> Wouldn't standard system configuration marshalling software help you
> to do that OK? Salt, Ansible, Puppet etc?

Yes, I've been considering Ansible for this purpose as well, as we're
doing the provisioning through it. However, the way we use it, it would
only be taking an active role in the initial set up of the keys, but not
aid in maintaining them over their life time, as well as renewing them
once their TTL is up.

> The workflow (TTL, revocation, etc) would be something you'd have to
> specify yourself, but these tools would do all the work on the remote
> systems. I haven't heard of anything in the standard open space that
> does that though. Unless monkeysphere would work?

That was pretty much my finding so far. Will have to see what
monkeysphere is and could do, though.

> Salt specifically has a very mature non-ssh protocol (0MQ-based) for
> instructing machines, which removes the inception-like nature of
> trying to install and manage ssh keys over ssh itself.

I know Salt, and I do know (even almost love) ZeroMQ. Very cool stuff.
Though, I'm a bit more favourable towards Ansible. But see above for my
reasoning why it's not quite the tool we're looking for here.

> Back in Enterprise space, there are products that manage things; we
> like the look of CyberArk's Vault,
> http://www.cyberark.com/products/privileged-account-security-solution/enterprise-password-vault/

I've had a look at Vault, and think it's somewhere in the right
direction. Though I've had the feeling it was a single host only
solution, from reading the documentation (yesterday's research). Though
I might be wrong and missing something that they haven't stated explicitly.

Maybe the new "Vault Enterprise" will have the networked capability,
which is not offered by the open source community edition.

I'll have a look.


----> µ wisdom brought to you by Guy K. Kloss <----
»Wo kämen wir hin,
wenn jeder sagen würde  | ... guy at kloss.nz ...
"wo kämen wir hin?"     | Phone:  +64-9-550 8499
und keiner ginge los,   | Mobile: +64-210 2323 715
um zu sehen,
wo wir hinkämen«

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nzoss.org.nz/pipermail/nzlug/attachments/20160720/b72c76c0/attachment.sig>

More information about the NZLUG mailing list