Right way to spread secret keys between microservices

Question

I have a few services that sign some data with an asymmetric cryptography algorithm (like RSA). I need to spread some secret (private) keys between all instances of the service.

I've found a few ways to do that:

Share keys as configuration (looks insecure when I need to spread private keys)
Embed keys into apps/images when it's build (what if I need different keys? Would it complicate build automation?)
Use some special key management service (what service?)

Is there a right way (or devops-way) to spread secret keys between microservices without compromises in security or automation?

I haven't used them personally, but you should look into secret distribution services like [Vault](https://www.vaultproject.io/). — Karl Bielefeldt, Jul 27 '16 at 15:42
What mechanism will you use to transmit the keys? Is that mechanism already a secure channel? — Robert Harvey, Jul 27 '16 at 17:12

score 4 · Accepted Answer · answered Aug 02 '16 at 18:56

If you're not using a build server then the simplest option is to put it in the config files. This way they're not embedded in source control. Think of database passwords, these are "private keys" too at the end of the day, and are commonly stored in config files. They aren't directly readable by a hacker either, unless they have access to your server -- in which case you'd have bigger problems than losing the private keys anyways

score 3 · Answer 2 · answered Aug 09 '16 at 06:02

3

If you use some kind of service orchestration tool like Kubernetes it's easier: Kubernetes helps you mount secrets into containers savely:

http://kubernetes.io/docs/user-guide/secrets/

answered Aug 09 '16 at 06:02

enzian

41
3

Right way to spread secret keys between microservices

2 Answers2