Our own Alex Schoof spoke at Velocity EU 2015 in Amsterdam on managing secrets at scale in the cloud. It was a highly rated talk that earned a write-up in InfoQ. Alex will be presenting this talk at tonight’s DevOps DC Meetup in Arlington, VA.
You can view the slides from his talk on SlideShare and view his talk on Vimeo below:
ORIGINAL POST
Modern systems are full of secrets. There are secrets we think about all the time, like private keys for SSL certificates or the password for the prod database, and there are secrets that we ignore or forget, like the secret used to generate HMACs for session cookies.
All these secrets present management hurdles:
- They need to be safely and securely distributed to servers that need them.
- They must have some kind of access control to let us decide who can and who cannot use them.
- We need some mechanism to revoke and rotate them, either due to a compromise, or just because they’re getting old.
As applications move from the laptop into the cloud (or data center), these issues are usually not considered. Too often we just leave SCP keys around our environments, or bake them into the deployment image. Haphazard management of keys can lead to management headaches at best, and compromise at worst.
If you'll be attending (or watching videos from) Velocity EU, be sure to listen to the talk by our very own Alex Schoof, Principal Engineer of Fugue. For those in Amsterdam, mark your calendar for Friday, October 30th at 1:45 pm.
In Alex's session, you will take a step back and look at secrets management as an integral part of your environment. Alex will talk about what actually needs to be protected, and what we are protecting against. Using and managing secrets requires a set of operations that are useful to both applications and operators. He will also talk about the lifecycle of secrets, and how building mechanisms to allow for the easy aging-out of keys makes management easier.
These issues will be discussed both at the architectural and the practical level, including looking at the core functionality needed by these systems, how to build them, and some existing open source systems that help make secrets management easier, including Alex's own project: Credstash.
We introduced you to Credstash in April and this month, it surpassed 10,000 downloads on PyPI.
Credstash is a very simple, easy-to-use credential management and distribution system that uses:
-
AWS Key Management System (KMS) for key wrapping and master key storage, and
-
DynamoDB for credential storage and sharing.
Check out the code at https://github.com/LuminalOSS/credstash and follow the directions to set up Credstash.
If you haven't gotten your tickets yet for Velocity EU, use Alex's code 'SPEAKER20' for 20% off. See you in Amsterdam!
.png?width=36&height=36&name=linkedin%20(1).png){kind=small}
.png?width=36&height=36&name=twitter%20(1).png){kind=small}
