custodia icon indicating copy to clipboard operation
custodia copied to clipboard

Published 20 hours ago verified publisher icon latchset

Custodia should have a write-only interface

Open npmccallum opened this issue 9 years ago • 4 comments
trafficstars

This may already exist in some way. But when using clevis with the tang and http pins, it would be nice to be able to write a secret for later manual, not automated, retrieval.

npmccallum avatar Apr 23 '16 14:04 npmccallum

What you want is metadata that will allow you to write something into Custodia, but then allow retrieval only by a different entity ?

simo5 avatar May 02 '16 14:05 simo5

Particularly, I'm thinking of the escrow case with clevis. I want to write a secret that can only be retrieved via, say, physical access.

npmccallum avatar May 03 '16 13:05 npmccallum

Writing an ACL plugin is easy enough, defininig the rules on who/how/what can access the secrets is another matter. What do you mean by "physical access" ?

simo5 avatar May 03 '16 13:05 simo5

I mean a system that is write only as far as network access is concerned. You can push secrets to it, but you can't pull them from it. If you want the secrets back out, you have to have some sort of hardware connect (like a KVM).

npmccallum avatar May 03 '16 13:05 npmccallum