Storing private key inside container #1496
-
|
Hello I am interested in storing the private key and doing the decryption inside a container or a volume such that the decrypted secret is visible only to that container and not to the entire cluster. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
The Sealed secrets controller expects the encryption TLS certificate to be present in a cluster Secret. The whole security model of Sealed Secrets depends on this since RBAC policies can be used to limit access to those secrets as needed. Also, using cluster Secrets enables a history of TLS encryption keys used in the past, allowing the controller to decrypt Sealed Secrets deployed in the cluster no matter how old they are. We need to make sure that whatever storage method we use for the encryption certificates, is compliant with these two requisites (fine-grained security model and history of encryption keys). Storing the keys in a container or volumen will not be compatible with those requirements and we do not contemplate that feature for the project. Regards |
Beta Was this translation helpful? Give feedback.
Hi @annetteshajan
The Sealed secrets controller expects the encryption TLS certificate to be present in a cluster Secret. The whole security model of Sealed Secrets depends on this since RBAC policies can be used to limit access to those secrets as needed.
Also, using cluster Secrets enables a history of TLS encryption keys used in the past, allowing the controller to decrypt Sealed Secrets deployed in the cluster no matter how old they are.
We need to make sure that whatever storage method we use for the encryption certificates, is compliant with these two requisites (fine-grained security model and history of encryption keys). Storing the keys in a container or volumen will not be compa…