Right way to spread secret keys between microservices
-
23-12-2020 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I have a few services that sign some data with an asymmetric cryptography algorithm (like RSA). I need to spread some secret (private) keys between all instances of the service.
I've found a few ways to do that:
- Share keys as configuration (looks insecure when I need to spread private keys)
- Embed keys into apps/images when it's build (what if I need different keys? Would it complicate build automation?)
- Use some special key management service (what service?)
Is there a right way (or devops-way) to spread secret keys between microservices without compromises in security or automation?
Solution
If you're not using a build server then the simplest option is to put it in the config files. This way they're not embedded in source control. Think of database passwords, these are "private keys" too at the end of the day, and are commonly stored in config files. They aren't directly readable by a hacker either, unless they have access to your server -- in which case you'd have bigger problems than losing the private keys anyways
OTHER TIPS
If you use some kind of service orchestration tool like Kubernetes it's easier: Kubernetes helps you mount secrets into containers savely:
