rsky icon indicating copy to clipboard operation
rsky copied to clipboard
verified publisher icon blacksky-algorithms

Key Management Options

Open TheRipperoni opened this issue 10 months ago • 5 comments

Since we are currently storing our keys at the environment variable level at the moment, are there any plans on supporting a solution like Vault, KMS, etc... in order to better secure and hide the secret keys for RSky?

TheRipperoni avatar Feb 06 '25 21:02 TheRipperoni

Open to a proposal for this. Blacksky's cloud host allows for encrypting environment variables that are decrypted at runtime. But that doesn't translate to other hosts so though it isn't an urgent priority for Blacksky I think it's an important consideration for rsky.

I don't have experience with the specific solutions you mentioned though.

rudyfraser avatar Feb 06 '25 22:02 rudyfraser

Happy to participate/review the proposal

afbase avatar Feb 06 '25 22:02 afbase

@TheRipperoni

Does #54 relate to this inquiry?

afbase avatar Feb 14 '25 22:02 afbase

@TheRipperoni

Does #54 relate to this inquiry?

Not in particular. This inquiry is more about options for storing keys for RSky outside of environment variables

TheRipperoni avatar Feb 14 '25 23:02 TheRipperoni

idea:

would y'all like to use sops's .sops.yaml as our key management configuration + tool?

SOPS is flexible to multiple key management services but I am imagining the first use case may be AWS KMS where your .sops.yaml file might look like:

creation_rules:
  - path_regext: "path/to/rsky/config*.yml"
    kms: "arn:aws:kms:${AWS_REGION}:${ID}:key/${KEY_UUID}"

Blacksky's cloud host allows for encrypting environment variables that are decrypted at runtime.

@rudyfraser I'm not entirely sure how the decryption works but perhaps sops can be incorporated in the process?

afbase avatar Mar 12 '25 03:03 afbase