Skip to content

GitLab

GitLab is used only for code review, issue tracking and project management. Canonical locations for source code are still https://gitweb.torproject.org/ https://git.torproject.org/ and git-rw.torproject.org.

Open
Opened by anarcat@anarcat😱Owner1 of 4 tasks completed1/4 tasks

replace hkdf with trocla for secrets management in puppet

secrets generated by puppet currently use a custom hkdf function that is homegrown. the ad-hoc standard for this in the puppet community i'm usually working with is trocla which is well integrated with puppet.

Trocla generates, on the fly, a strong random password for each key you ask it. It also supports various hashing mechanisms (bcrypt, pgsql, x509, etc) so that the Puppet client never actually sees the cleartext. It seems like a better approach than sending the cleartext like we currently do.

So I'd like to start using this for new code and possibly convert existing code to this, if that's acceptable.

next steps:

  • test trocla
  • replace hkdf() calls with trocla
  • remove hkdf() source code
  • remove the puppet secret used by hkdf() (/etc/puppet/secret)
Edited by anarcat
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information