Re: Questions on credential rotation

Dan Jahner

Hey Bernd,

I am the product manager of CredHub. We view our project as being part of
the 'rotate' component of Justin's vision. Repave is focused on recreating
instances to a known-good state, which is something outside of our area of

The current roadmap for CredHub is focused on pulling credentials into our
system; specifically BOSH deployment and service credentials, later
application credentials. Once we have a solid footing for storing and
managing access to these credentials, we plan to explore what possibilities
exist for reducing the friction of credential rotation.

Although I haven't spent a long time investigating, I would agree with your
characterization of the 3 classes of credentials. I think there is
overwhelming agreement that all components should allow credential rotation
without downtime, where possible, so I would expect it is on many teams'
radar. If not, I am happy to start conversations once we get to that phase
of our project.


On Thu, May 4, 2017 at 6:32 AM Krannich, Bernd <bernd.krannich(a)>

Hello all,

We love Justin Smith’s approach of “Rotate, Repair, Repave” [1] when it
comes to security. Looking at how the “Rotate” aspect is handled in Cloud
Foundry and other BOSH deployments today, we think there’s currently three
classes of credentials:

1. Credentials that can be rotated by updating them and doing a
`bosh deploy` with zero downtime

2. Credentials that can be rotated by updating them and doing a
`bosh deploy` involving a downtime [2]

3. Credentials that cannot be rotated easily at all [3]

A couple of questions here:

· Is the above summary accurate?

· For updates involving a downtime, the only naïve solution I
could come up with is to support two sets of credentials during the
transition. Are there any more strategies?

· Are there any efforts to turn credentials falling under #2 and
#3 into ones that can be updated without downtime?

· CredHub [4] seems to be geared in the direction of “repave”. Is
this the case and does this maybe even support work on the previous bullet?

Thanks in advance,



[2] might
be a good example

[3] might
be a good example


*Bernd Krannich*

SAP Cloud Platform


Dietmar-Hopp-Allee 16, 69190 Walldorf, Germany

E bernd.krannich(a)

Pflichtangaben/Mandatory Disclosure Statement:

Diese E-Mail kann Betriebs- oder Geschäftsgeheimnisse oder sonstige
vertrauliche Informationen enthalten. Sollten Sie diese E-Mail irrtümlich
erhalten haben, ist Ihnen eine Kenntnisnahme des Inhalts, eine
Vervielfältigung oder Weitergabe der E-Mail ausdrücklich untersagt. Bitte
benachrichtigen Sie uns und vernichten Sie die empfangene E-Mail. Vielen

This e-mail may contain trade secrets or privileged, undisclosed, or
otherwise confidential information. If you have received this e-mail in
error, you are hereby notified that any review, copying, or distribution of
it is strictly prohibited. Please inform us immediately and destroy the
original transmittal. Thank you for your cooperation.

Join to automatically receive all group messages.