Skip to content
GitLab
Closed
Created by anarcat@anarcatOwner4 of 4 tasks completed4/4 tasks

replace hkdf with trocla for secrets management in puppet

secrets generated by puppet currently use a custom hkdf function that is homegrown. the ad-hoc standard for this in the puppet community i'm usually working with is trocla which is well integrated with puppet.

Trocla generates, on the fly, a strong random password for each key you ask it. It also supports various hashing mechanisms (bcrypt, pgsql, x509, etc) so that the Puppet client never actually sees the cleartext. It seems like a better approach than sending the cleartext like we currently do.

So I'd like to start using this for new code and possibly convert existing code to this, if that's acceptable.

next steps:

  • test trocla
  • replace hkdf() calls with trocla
  • remove hkdf() source code
  • remove the puppet secret used by hkdf() (/etc/puppet/secret)
Edited by anarcat
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information