Key Rotation Strategies


Mike Youngstrom
 

There are a lot of Keys in my CF deployment manifest. I'd like to be able
to rotate them. Most of the keys I could probably just change in a
deployment but would cause some downtime or a service disruption. Others
like "cc.db_encryption_key" I have no idea how I'd rotate.

Any thoughts on key rotation for a CF deployment?

Mike


Christopher B Ferris <chrisfer@...>
 

We are also very interested in pursuing this capability.

Cheers,

Christopher Ferris
IBM Distinguished Engineer, CTO Open Cloud
IBM Software Group, Open Technologies
email: chrisfer(a)us.ibm.com
twitter: @christo4ferris
blog: http://thoughtsoncloud.com/index.php/author/cferris/
phone: +1 508 667 0402



From: Mike Youngstrom <youngm(a)gmail.com>
To: CF Developers Mailing List <cf-dev(a)lists.cloudfoundry.org>
Date: 06/11/2015 01:31 PM
Subject: [cf-dev] Key Rotation Strategies
Sent by: cf-dev-bounces(a)lists.cloudfoundry.org



There are a lot of Keys in my CF deployment manifest.  I'd like to be able
to rotate them.  Most of the keys I could probably just change in a
deployment but would cause some downtime or a service disruption.  Others
like "cc.db_encryption_key" I have no idea how I'd rotate.

Any thoughts on key rotation for a CF deployment?

Mike
_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev


CF Runtime
 

There is currently no way for users to rotate the cc.db_encryption_key.
We're going to schedule some work to look into ways to solve the problem
without downtime. Any input would be great, as well as info on other keys
that need attention.

Joseph Palermo
CF Runtime Team

On Thu, Jun 11, 2015 at 10:44 AM, Christopher B Ferris <chrisfer(a)us.ibm.com>
wrote:

We are also very interested in pursuing this capability.

Cheers,

Christopher Ferris
IBM Distinguished Engineer, CTO Open Cloud
IBM Software Group, Open Technologies
email: chrisfer(a)us.ibm.com
twitter: @christo4ferris
blog: http://thoughtsoncloud.com/index.php/author/cferris/
phone: +1 508 667 0402

[image: Inactive hide details for Mike Youngstrom ---06/11/2015 01:31:45
PM---There are a lot of Keys in my CF deployment manifest. I']Mike
Youngstrom ---06/11/2015 01:31:45 PM---There are a lot of Keys in my CF
deployment manifest. I'd like to be able to rotate them. Most of

From: Mike Youngstrom <youngm(a)gmail.com>
To: CF Developers Mailing List <cf-dev(a)lists.cloudfoundry.org>
Date: 06/11/2015 01:31 PM
Subject: [cf-dev] Key Rotation Strategies
Sent by: cf-dev-bounces(a)lists.cloudfoundry.org
------------------------------



There are a lot of Keys in my CF deployment manifest. I'd like to be able
to rotate them. Most of the keys I could probably just change in a
deployment but would cause some downtime or a service disruption. Others
like "cc.db_encryption_key" I have no idea how I'd rotate.

Any thoughts on key rotation for a CF deployment?

Mike
_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev



_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev


Mike Youngstrom
 

On Thu, Jun 11, 2015 at 12:33 PM, CF Runtime <cfruntime(a)gmail.com> wrote:

as well as info on other keys that need attention.
That is a good question. Looking through a manifest it is difficult to
pick out which keys/passwords should be rotated. A quick perusal found
these candidates:

* UAA/CC DB passwords can probably be rotated without issue.
* Might initially think Nats should be rotated. However, since etcd isn't
even password protected we're probably ok relying on network firewall for
nats and etcd.
* cc.bulk_api_password should probably be rotated and could cause downtime
if the components that rely upon it don't have their config changed the
exact same time the CC is changed
* doppler_endpoint.shared_secret will probably cause the loss of messages
if rotated
* uaa.cc.token_secret would probably cause everyone to get logged out
right? Probably not optimal.
* uaa.cc.client_secret might cause connectivity issues between UAA and CC
while rotating could cause some downtime

Any others?

Mike