#security (2018-12)
Archive: https://archive.sweetops.com/security/
2018-12-04
@antonbabenko auto unseal has arrived
About time.
Beautiful
2018-12-05
lololol
gravitational guys have reproduced the kubernetes exploit
2018-12-16
2018-12-19
1
oh joy!
just something in time for the holidays… a gift to the spammers & scammers for christmas
2018-12-20
yea, great timing…
I think I might prefer a git credential helper instead
haha, yea, in the end I’ll be using my OSX keychain instead
here’s where I see this as interesting: EC2 Instance “master keys”
while these should not be used for regular maintence
they can be good as a last resort
this lets you store them in a centralized place and use IAM to control who has access to them.
while also leveraging them from the command line to connect
exactly - like that
are you using vault enterprise or the community edition?
community
my understanding is they’ve added auto-unseal to enterprise
…the other way aaround
auto-unseal is now available in CE using KMS
that’s what I meant
Whoa this is really nice for the times you need a server to grab a deploy key… i had been grabbing the private deploy key from hashicorp vault or aws ssm - but then writing to a file . Didn’t think of temporary add to a ssh-agent!
Nice trick
2018-12-21
2018-12-26
And then using this pattern with Kubernetes https://www.bitservices.io/blog/confd-kubernetes/
Are k8s secrets still unencrypted in etcd?
and not at all secret?
they are encrypted at rest in etcd
that seems new since I last looked (1+ year ago)
though I guess it depends on your k8s implementation
