Skip to content
GitLab
  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
  • TPA team TPA team
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Issues 174
    • Issues 174
    • List
    • Boards
    • Service Desk
    • Milestones
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
  • Wiki
    • Wiki
  • Activity
  • Create a new issue
  • Issue Boards
Collapse sidebar
  • The Tor Project
  • TPA
  • TPA teamTPA team
  • Issues
  • #30009
Closed
Open
Created Apr 03, 2019 by anarcat@anarcatOwner4 of 4 tasks completed4/4 tasks

replace hkdf with trocla for secrets management in puppet

secrets generated by puppet currently use a custom hkdf function that is homegrown. the ad-hoc standard for this in the puppet community i'm usually working with is trocla which is well integrated with puppet.

Trocla generates, on the fly, a strong random password for each key you ask it. It also supports various hashing mechanisms (bcrypt, pgsql, x509, etc) so that the Puppet client never actually sees the cleartext. It seems like a better approach than sending the cleartext like we currently do.

So I'd like to start using this for new code and possibly convert existing code to this, if that's acceptable.

next steps:

  • test trocla
  • replace hkdf() calls with trocla
  • remove hkdf() source code
  • remove the puppet secret used by hkdf() (/etc/puppet/secret)
Edited Jun 14, 2021 by anarcat
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking