

Protecting infrastructure secrets with Keywhiz from Square - strzalek
https://corner.squareup.com/2015/04/keywhiz.html

======
joe9876123
Hi, First of all looks like an amazing project so thanks! You mention key
rotation but I think I might have misunderstood what you're talking about.
Let's say I have a symmetric key and I want to change it, in a CD environment
there is a short period where you need to support two keys. How does KeyWhiz
fit in there? If it doesn't I'd really like to understand what you meant

------
ispivey
I'd love to hear from some of the team who built this about differences
between Keywhiz and Keyczar, which to my mind was the best-practice open-
source cross-platform solution to date (i.e. if you're not relying on things
like AWS Cloudformation config or Heroku config vars to "manage" secrets).

Obvious pieces to me appear to be (1) roles and auditability (2) end-user
front-end (3) filesystem interface & associated ease of access for various
services. But I'm not an expert!

~~~
sul3n3t
Keyczar is meant to solve a different problem. It’s meant to be a simple
programmatic API for crypto operations, while being high-level and excluding
unsafe options. NaCl ([http://nacl.cr.yp.to/](http://nacl.cr.yp.to/)) has
similar goals to Keyczar.

Keywhiz isn’t an interface for software to do crypto. Rather, it’s a system to
manage the secrets/keys used for crypto and making them available to the
services that need them. It doesn’t explicitly look at the content of secrets,
unless a plugin is used.

~~~
ispivey
Understood! I'd looked at Keyczar in the past as a component of a system to
manage secrets/keys, but I see it's actually providing about 0% of what
Keywhiz does.

------
christop
This is a good talk on (what I believe to be) this software:
[https://www.slideshare.net/diogomonica/bletchley](https://www.slideshare.net/diogomonica/bletchley)

~~~
emerose
Bletchley is actually a different piece of our infrastructure: it protects
keys by storing them in hardware, whereas Keywhiz is aimed at distributing the
secrets that apps really need (API tokens for 3rd party services, eg).

We presented Keywhiz at Baythreat in 2012:
[http://www.baythreat.org/2012/speakers.html](http://www.baythreat.org/2012/speakers.html)
I'm not sure if that was recorded, though.

~~~
christop
Cool, thanks. Are there any slides? I saw @diogomonica mention there have been
several presentations, but I couldn't find any.

~~~
sul3n3t
Back then we tried to upload the keynote to slideshare without success. I
think the blog post pretty much covers the same material regarding Keywhiz but
with more detail.

