Comments (2)
russell-lewis
commented on August 16, 2024
Provided your passphrase is strong, I don't see the value in double encrypting the private key. However, if you really wanted to, you could already do just that.
Take a look at:
https://github.com/Netflix/bless/blob/master/README.md#protecting-the-ca-private-key
The last paragraph describes how you can compress your RSA 4096 key to fit in a lambda environment variable. You can then enable KMS encrypted environment variables, and that should give you effectively the same result.
from bless.
mbonnafon
commented on August 16, 2024
It seems that Lambda uses two mechanisms to encrypt environment variables with KMS. The encrypt at rest, which encrypts data after it has been uploaded (not our concern). The second one is encrypt in transit (the checkbox), this will encrypt the data when you click on the button, however, you need to decrypt with the code in the Lambda.
In our process we work hard to have infrastructure as code, so the lambda is set up with Terraform. In this case, the private key is viewable. In our company, the CA must be encrypted to be usable.
Adding a boolean like ca_private_key_encrypted which will trigger the decrypt-kms would be a useful feature. This wouldn't change anything to the existing and would offer additional possibilities for those with higher security needs.
from bless.
Related Issues (20)
- Is Marshmellow<3 required to function? HOT 4
- Invalid Key length when using gpg-agent
- Is this project still under development HOT 1
- Ability to sign SSH certificate with SHA2 HOT 4
- hope
- Nonstandard SSH port HOT 1
- Add optional parameters HOT 3
- Optional parameter [kmsauth token] cannot be passed in HOT 3
- Are you guys aware of anything similar to this for Google Cloud Platform? HOT 2
- How has to be the kmsauth token created? HOT 1
- Amazonlinux make bug HOT 2
- Unable to login with the cert got from lambda function HOT 1
- make test fails on deprecated warnings [linting] HOT 5
- document `-m PEM` option to ssh-keygen
- .travis.yml: The 'sudo' tag is now deprecated in Travis CI
- Authorization with BLESS? HOT 1
- Support authentication with OpenID Connect HOT 4
- How to make the bastion transparent for users
- Potential dependency conflicts between bless and boto3 HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bless.