Changing CF Encryption Keys (was Re: Re: Re: Re: Cloud Controller - s3 encryption for droplets)


Sandy Cash Jr <lhcash@...>
 

Hi,

I'm not sure what strategies exist either. This same topic came up
partially in the context of my resubmitted FIPS proposal, and I was curious
- is it worth creating an issue (or even a separate feature
proposal/blueprint) for tooling to rotate encryption keys? It's nontrivial
(unless there is tooling about which I am unaware) to do, and a good
solution in this space would IMHO fill a significant operational need.

Thoughts?

-Sandy


--
Sandy Cash
Certified Senior IT Architect/Senior SW Engineer
IBM BlueMix
lhcash(a)us.ibm.com
(919) 543-0209

"I skate to where the puck is going to be, not to where it has been.” -
Wayne Gretzky



From: Dieu Cao <dcao(a)pivotal.io>
To: "Discussions about Cloud Foundry projects and the system
overall." <cf-dev(a)lists.cloudfoundry.org>
Date: 11/12/2015 02:19 PM
Subject: [cf-dev] Re: Re: Re: Cloud Controller - s3 encryption for
droplets



Hi William,

Thanks for the links.
We don't have support for client side encryption currently.
Cloud Controller and Diego's blobstore clients would need to be modified to
encrypt and decrypt for client side encryption and I'm not clear what
strategies exist for rotation of keys in these scenarios.

If you're very interested in this feature and are open to working through
requirements with me and submitting a PR, please open up an issue on github
and we can discuss this further.

-Dieu

On Tue, Nov 10, 2015 at 4:16 PM, William C Penrod <wcpenrod(a)gmail.com>
wrote:
I first ran across it here:
http://cloudfoundryjp.github.io/docs/running/bosh/components/blobstore.html


and checked here for additional info:
https://github.com/cloudfoundry/bosh/blob/master/blobstore_client/lib/blobstore_client/s3_blobstore_client.rb

Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.