On Tue, 2014-06-17 at 09:07 -0400, Jeff Darcy wrote: > > ----- Original Message ----- > > On Tue, Jun 17, 2014 at 12:39 AM, Jeff Darcy <jdarcy@xxxxxxxxxx> wrote: > > > Unfortunately, *distributing* those keys and > > > certificates securely is always going to be a bit of a problem. > > > > > > Well, as we had discussed, puppet-gluster could be an easy way to > > solve this... > > How does puppet-gluster distribute those keys etc. *securely*? Are > there techniques we could borrow for those who run GlusterFS without > puppet? Good question. There are different options, depending on how much the puppet module author cares about security, or his/her module... There are a few possibilities: * Use a similar technique as discussed here: https://ttboj.wordpress.com/2014/06/06/securely-managing-secrets-for-freeipa-with-puppet/ Basically this amounts to local key generation on a server. * Generate private key yourself and store in puppet. I think this is sort of a bad practice, but it's extremely common. Since puppet has root on your boxes anyways, you're already sort of p0wned, but I don't like to make the situation worse. * Combination of distributed local key generation, plus secure partner exchange. Depending on your API, I'd probably go this route if it's possible. Basically each member would generate locally a key pair and exchange the public parts. Then they would use this cryptography to exchange individual private chunks to make up the key. Alternatively you could elect one master to generate the key instead of generating it in a distributed way. Which reminds me, what about your interface/API? Cheers, James
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Gluster-devel mailing list Gluster-devel@xxxxxxxxxxx http://supercolony.gluster.org/mailman/listinfo/gluster-devel
