Key management with AWS S3

[Matthew Denton]

Hey guys,

I was wondering if anyone has had success doing this? Currently, I have private keys being stored in my private repo. I'd like to make my code public but need to obviously do some scrubbing. I've heard of an implementation where you store your keys in a S3 bucket then use puppet to download the keys and use for config. I saw an s3 module but it required the keys to access the keys. Curious how some of you handle this!

[Joseph Lorenzini]

Hi Mathew,

I've actually been wrestling with a similar problem myself. So far the solution I like the best is the following:

1. use gpg encryption to encrypt the files on disk and then commit them into the VCS.
2. do NOT include the gpg private key or the passphrase for the key into the VCS (that would defeat the whole purpose obviously)
3. for automated deployments where a system requires access to the cleartext data  do either 1)use an out of band provisioning mechanism to push the key and passphrase to the node, decrypt the data, and then remove the key and passphrase. or 2) gpg does support unencrypted keys (less secure then two factor but still reasonably robust) so you could just use that to encrypt the files and then just do a gpg import of the private key on the system that needs the ability to decrypt the file.

Note depending on your security requirements you may need to use different keys to encrypt different files (one key to encrypt them is all is a much bigger attack surface then one key per file etc but the complexity of key management becomes far greater.)

Within that problem space, this tool looks really promising but i haven't had a chance to try it out yet.

https://github.com/StackExchange/blackbox

Joe