Key management in ansible based multi-platform deployment

[shwethanidd]

Management of keys and certs in automated multi-platform deployment of VOLTTRON is an important security feature that needs to be added into VOLTTRON. One of the ways would be using Vaults https://learn.hashicorp.com/tutorials/vault/database-secrets?in=vault/secrets-management.
We would like to open the discussion with the community to see if there are other ideas for key management.

[laroque]

Hm... I think this really opens the door for more scope (which we may or may not want to deal with here). Vault can fully manage credentials for databases, including credential expiration/rotation, which would be much more secure than the current pattern that has credentials in config files. However, that's not really part of ansible or multi-platform.

Certainly vault can be configured to provide a full PKI infrastructure (https://learn.hashicorp.com/tutorials/vault/pki-engine?in=vault/secrets-management), which VOLTTRON could consume, and could also be used to manage keys (as needed for multi-platform, as well as anything else we may need it for in VOLTTRON).

I guess the first questions come down to how we want to connect the tool. One option is similar to how we do RabbitMQ now, which is that we try to build full tooling that deploys vault and uses it as a secret engine/store within the platform. My recommendation would be to not do this, and instead treat vault as an external resource that we can leverage (more like how VOLTTRON doesn't provision postgreSQL, but a historian can publish data there). In that scenario, maybe the auth system can be configured to locally manage (similar to current patter), or to consume content of an external vault. In a multi-platform system, the admin would provision a single vault and connect each platform to it. The admin (or ansible) could then add keys to vault as needed when provisioning a new platform.

Probably a key piece in this is that if we can move to a design that consumes externally managed secrets, we may be able to define a pattern for VOLTTRON secrets that is actually agnostic to how those are generated/managed. Then in a more hardened system, an admin uses something like vault, in a development system a user does it manually, and in an enterprise that is using some other solution they could tie in their existing solution.