Decide on hiera configfile encryption
Hi,
Micah and I talked about possible encryption of (i.e. openvpn server) keys in the hiera config. While we can store encrypted passwords with trocla (https://tech.immerda.ch/2011/12/trocla-get-hashed-passwords-out-of-puppet-manifests/), we can't do that with keyfiles, because trocla uses one-way, backend-specific encryption (shelluser-passwords, mysql) for passwords, that stay encrypted (i.e. in /etc/shadow).
For keyfiles, encrypting with gpg keys would be the solution.
One scenario could be:
- create a pw-protected admin gpg keypair, that the admin would use for creating new server keys
- create the ca keys
- encrypt the ca private key with the admin's gpg key
- when creating server keys, temporarily decrypt the ca private key, create the server keys, and put them into into the server hiera config.
- push the hiera config to the server, and delete it on the deploy machine.
- there's a limited timeframe when the server keys lie unencrypted on the deploy machine
A more complex secenario would be:
1.-4. from above 5. create one pw-less gpg keypair per server 6. import public key on the deploy machine, move keypair to the server 7. encrypt the hiera file with the server key, push it ( encrypt it with the admin's key too, so he can look into it) 8. server uses the hiera-gpg backend (extension) to look in gpg encrypted hiera files (see http://www.craigdunn.org/2011/10/secret-variables-in-puppet-with-hiera-and-gpg/)
I would prefer the second one, even though it's a bit more work to setup. The advantage is that the server's hieraconfig stayes encrypted on the deploy machine, and the admin can investigate it using his gpg key.
Varac
kwadro wrote:
If 1-4 are the same, it sounds as if it's relatively easy to extend scenario 1 to scenario 2 if we have a free moment, is that correct? If so, I'd prefer to do that now, because I'm already having trouble to keep up with both architecture/design discussions and some tech stuff of implementations. If complexity rises (much) I'd have to re-evaluate which aspects of this project I should focus on. Another argument could be 'time'.
Couchdb wants, for a new user, to get the password in plain text in the configfile, it then hashes it and rewrites the hash. I haven't figured out if I could do that manually.
kwadronaut.
(from redmine: created on 2012-08-14, relates #186)