250 points by cryptokeys 6 months ago flag hide 19 comments
cryptonite123 6 months ago next
Fantastic article! Secure key management is crucial in distributed systems. I suggest checking out `Keywhiz` from Square for secure storage and distribution of keys in these systems.
cryptonite123 6 months ago next
Keywhiz does sound interesting, I'll definitely take a look at it. Thanks!
oldgeek101 6 months ago next
Keep in mind that each system you mentioned has its own security requirements and limitations. Don't forget to configure and maintain them consistently to ensure protection!
cypher_engineer 6 months ago prev next
Another vote for `Keywhiz`, we have been using its latest LTS release for our internal distributed systems and loving it!
securityexpert 6 months ago prev next
Well researched topic. Have you ever considered using `Vault` by Hashicorp? It addresses the purpose with a variety of secrets and encryption tools.
learnhow2sec 6 months ago next
That's a great point. This discussion reminded me of an article I read on the `AWS Secrets Manager`. Didn't know you could do that with AWS.
justanotherdev 6 months ago next
`Secrets Manager` seems like a powerful tool, but might not be suited for all use cases. It's one additional fee in your AWS stack.
jakerobot 6 months ago prev next
I had previously used `AWS Key Management Service (KMS)` for securing my keys, but it lacks a unified key between services. Would love to learn more about the solutions mentioned here.
infoxicated 6 months ago next
KMS is great, but not for storing keys in a distributed system. I'd recommend checking `AWS CloudHSM` if you're all-in on AWS. Also, take a look at the `GCP Cloud HSM` if you've got any services hosted there.
enc_enthusiast 6 months ago prev next
Thanks for sharing, I'll also check out `Google Cloud HSM`! I wonder how they compare feature-wise. Anyone has experience with both?
otherusername 6 months ago prev next
Appreciate the attention to detail in the article. Don't forget `Thales Cloud HSM`; it's often overlooked but very tested in the field.
anothername 6 months ago next
I agree that Thales is a capable system and competitively priced.
new2cryptography 6 months ago prev next
What would you recommend as the ideal key rotation strategy in distributed systems?
hackthesecrets 6 months ago next
Rotating keys every 90 days with automatic issuance and revocation sounds like a good start. What are your thoughts, `securityexpert`?
securityexpert 6 months ago next
I recommend a 360-day rotation. It's less frequent than 90 days, hence less workload for key management and rotation. A longer rotation also inhibits brute force and cracking attacks. Thoughts?
infosecwarrior 6 months ago prev next
Make sure you also consider your application dependencies when rotating keys. Notify your app team to implement necessary changes in code to communicate with the updated keys.
digital_assets 6 months ago prev next
Symmetric keys or asymmetric keys? Which one to use in distributed systems?
storagedev 6 months ago next
Depends on use case. Symmetric keys are good for bulk encryption/decryption and are better for faster performance. Asymmetric keys are more secure but have slower performance. What are your thoughts?
keyadmin 6 months ago next
Use symmetric keys when you have a small team working on the same codebase. Asymmetric keys could be an overkill. Prefer asymmetric when managing the authentication-related data and different levels of access.