Opened 5 months ago

Last modified 5 months ago

#30009 assigned project

consider trocla for secrets management in puppet

Reported by: anarcat Owned by: anarcat
Priority: Low Milestone:
Component: Internal Services/Tor Sysadmin Team Version:
Severity: Major Keywords:
Cc: Actual Points:
Parent ID: #29387 Points:
Reviewer: Sponsor:


secrets generated by puppet currently use a custom hkdf function that is homegrown. the ad-hoc standard for this in the puppet community i'm usually working with is trocla which is well integrated with puppet.

Trocla generates, on the fly, a strong random password for each key you ask it. It also supports various hashing mechanisms (bcrypt, pgsql, x509, etc) so that the Puppet client never actually sees the cleartext. It seems like a better approach than sending the cleartext like we currently do.

So I'd like to start using this for new code and possibly convert existing code to this, if that's acceptable.

Child Tickets

Change History (1)

comment:1 Changed 5 months ago by anarcat

Owner: changed from tpa to anarcat
Parent ID: #29387
Status: newassigned

this is part of the larger question of how to publish our repository, as I believe that using (and contributing to) a module commonly used by the community (trocla) is more in line with the sharing approach than the current implementation that is custom-made for TPO.

Note: See TracTickets for help on using tickets.