[tor-bugs] #30009 [Internal Services/Tor Sysadmin Team]: consider trocla for secrets management in puppet
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Apr 3 20:36:13 UTC 2019
#30009: consider trocla for secrets management in puppet
-----------------------------------------------------+-----------------
Reporter: anarcat | Owner: tpa
Type: project | Status: new
Priority: Low | Milestone:
Component: Internal Services/Tor Sysadmin Team | Version:
Severity: Major | Keywords:
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
-----------------------------------------------------+-----------------
secrets generated by puppet currently use a custom hkdf function that is
homegrown. the ad-hoc standard for this in the puppet community i'm
usually working with is [https://github.com/duritong/trocla trocla] which
is [https://github.com/duritong/puppet-trocla well integrated with
puppet].
Trocla generates, on the fly, a strong random password for each key you
ask it. It also supports various hashing mechanisms (bcrypt, pgsql, x509,
etc) so that the Puppet client never actually sees the cleartext. It seems
like a better approach than sending the cleartext like we currently do.
So I'd like to start using this for new code and possibly convert existing
code to this, if that's acceptable.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30009>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list