Key Management Options

[TheRipperoni]

Since we are currently storing our keys at the environment variable level at the moment, are there any plans on supporting a solution like Vault, KMS, etc... in order to better secure and hide the secret keys for RSky?

[rudyfraser]

Open to a proposal for this. Blacksky's cloud host allows for encrypting environment variables that are decrypted at runtime. But that doesn't translate to other hosts so though it isn't an urgent priority for Blacksky I think it's an important consideration for rsky.

I don't have experience with the specific solutions you mentioned though.

[afbase]

Happy to participate/review the proposal

[afbase]

@TheRipperoni

Does #54 relate to this inquiry?

[TheRipperoni]

@TheRipperoni

Does #54 relate to this inquiry?

Not in particular. This inquiry is more about options for storing keys for RSky outside of environment variables

[afbase]

idea:

would y'all like to use sops's .sops.yaml as our key management configuration + tool?

SOPS is flexible to multiple key management services but I am imagining the first use case may be AWS KMS where your .sops.yaml file might look like:

creation_rules:
  - path_regext: "path/to/rsky/config*.yml"
    kms: "arn:aws:kms:${AWS_REGION}:${ID}:key/${KEY_UUID}"

Blacksky's cloud host allows for encrypting environment variables that are decrypted at runtime.

@rudyfraser I'm not entirely sure how the decryption works but perhaps sops can be incorporated in the process?