We’ve been working with Balena for quite some time now and currently we are looking for a good option to share secrets like passwords, SSH private keys, SSL certificates, or another pieces of data between containers. With docker swarm there is the option of sharing secrets:
How could we achieve a similar thing with balena? I’ve looked at multiple options one that was particularly interesting is Vault by HashiCorp
I will have a closer look at Vault but it seems a bit overkill for our needs. Maybe we can strip it down to only expose the REST API.
We could maybe use keyring as well. But there we might have to write our own microservice.
What is your recommendation did anyone else come across this problem as well? How did you manage key rotation?
I am happy to hear about your solutions and we are willing to openly share what our conclusions are.
One interesting approach without adding unnecessary overheads (e.g. Vault) is to write them to a volume(s) and share those volumes to required containers. What I’ve done is have a microservice that pulls them down from vault (using consul-template) and then mount them in other containers.
If security is concern then you could look at encryption
I guess it depends a lot on what is your attacker model wrt the secrets and what kind of secrets one wants to protect. For example SSH private keys and SSL private keys, could be handled by a service which allows using them, but not handing them out. For example ssh-agent or similar to a pkcs11 network proxy. If the secrets are encrypted at rest, how is the secret store unlocked? For example if you use vault how would the device unseal the vault server on startup? Would there be a local user interface for entering the secret information or would the device contact a cloud service to fetch it’s specific unsealing secret? Would there be a dedicated HW device to unlock itself?
I’m asking these questions, because I have been thinking a lot about this problem, and the more use cases, constraints etc. we can collect, the better we can come up with a solution.
Please don’t take this as we are working on a solution for this already, it is something that we are aware is missing from the platform and we would love to have a good solution that is secure and fits a lot of use cases.
We implemented our own “Secure Secret Storage” solution in Go.
For encryption every secret blob gets encrypted with aes-256 bits using GCM.
The encryption passphrase will be deviated from the multiple internal measures. The key used to encrypt and decrypt the files will be generated using argon2i.
We will probably not open source anything because it is a very custom solution. But if you have any questions feel free to ask.
That sounds awesome! The key point here is probably the passphrase deviation from multiple internal measures. Since this is the important point to gather enough entropy and make these measurements not easily reproduce able.