A

authstore-gpg

authstore

Background

In a distributed system it is necessary to distribute credentials in a safe and controlled fashion. Credentials, while technically part of configuration, are best handled separately to avoid polluting the configuration repository with sensitive information (which then must be encrypted individually).

AuthStore provides an API to retrieve credentials from a centralized store, separating it from the configuration repository.

The trust is established on a per-machine basis, with the condition that off-line access to the machine (by acquiring its disks, for example) should not be sufficient to establish trust: the machine is trusted only while it's powered on.

The implementation makes the following assumptions:

  • that the credentials dataset is small
  • that the rate of change of individual credential entries is low

The data store is abstracted as a file system containing GPG-encrypted entries. On input, the entries are encrypted with the AuthStore public GPG key. When a request is made from the API, the response is encrypted with the originating machine's GPG key. The problem of maintaining an association of machines to keys is left to the admin (in most cases, a machine database might already be available, or one could simply maintain the keyring manually).

The operational model requires manual intervention from the administrator upon restart of a machine (to load or decrypt the machine key), or of the AuthStore service itself. The AuthStore private key is loaded manually into the server at runtime, and can be safely stored offline.