Date
1 - 4 of 4
Key Rotation Strategies
|
Mike Youngstrom <youngm@...>
On Thu, Jun 11, 2015 at 12:33 PM, CF Runtime <cfruntime(a)gmail.com> wrote:
as well as info on other keys that need attention.That is a good question. Looking through a manifest it is difficult to pick out which keys/passwords should be rotated. A quick perusal found these candidates: * UAA/CC DB passwords can probably be rotated without issue. * Might initially think Nats should be rotated. However, since etcd isn't even password protected we're probably ok relying on network firewall for nats and etcd. * cc.bulk_api_password should probably be rotated and could cause downtime if the components that rely upon it don't have their config changed the exact same time the CC is changed * doppler_endpoint.shared_secret will probably cause the loss of messages if rotated * uaa.cc.token_secret would probably cause everyone to get logged out right? Probably not optimal. * uaa.cc.client_secret might cause connectivity issues between UAA and CC while rotating could cause some downtime Any others? Mike |
|
|
|
CF Runtime
There is currently no way for users to rotate the cc.db_encryption_key.
We're going to schedule some work to look into ways to solve the problem without downtime. Any input would be great, as well as info on other keys that need attention. Joseph Palermo CF Runtime Team On Thu, Jun 11, 2015 at 10:44 AM, Christopher B Ferris <chrisfer(a)us.ibm.com> wrote: We are also very interested in pursuing this capability. |
|
|
|
Christopher B Ferris <chrisfer@...>
We are also very interested in pursuing this capability.
Cheers, Christopher Ferris IBM Distinguished Engineer, CTO Open Cloud IBM Software Group, Open Technologies email: chrisfer(a)us.ibm.com twitter: @christo4ferris blog: http://thoughtsoncloud.com/index.php/author/cferris/ phone: +1 508 667 0402 From: Mike Youngstrom <youngm(a)gmail.com> To: CF Developers Mailing List <cf-dev(a)lists.cloudfoundry.org> Date: 06/11/2015 01:31 PM Subject: [cf-dev] Key Rotation Strategies Sent by: cf-dev-bounces(a)lists.cloudfoundry.org There are a lot of Keys in my CF deployment manifest. I'd like to be able to rotate them. Most of the keys I could probably just change in a deployment but would cause some downtime or a service disruption. Others like "cc.db_encryption_key" I have no idea how I'd rotate. Any thoughts on key rotation for a CF deployment? Mike _______________________________________________ cf-dev mailing list cf-dev(a)lists.cloudfoundry.org https://lists.cloudfoundry.org/mailman/listinfo/cf-dev |
|
|
|
Mike Youngstrom <youngm@...>
There are a lot of Keys in my CF deployment manifest. I'd like to be able
to rotate them. Most of the keys I could probably just change in a deployment but would cause some downtime or a service disruption. Others like "cc.db_encryption_key" I have no idea how I'd rotate. Any thoughts on key rotation for a CF deployment? Mike |
|
|
