undefined | Better HN

0 pointslvh6y ago0 comments

what's wrong with an online system managing the secrets? KMS is great, and makes it easy to separate decrypt from encrypt permissions.

(KMS is not the only option! I'm just trying to eke out why you think that's valuable. For example, I think age, mentioned in the blog post, is a direct replacement?)

0 comments

viraptor6y ago

It has to be online. And reliable. And you can run into rate-limiting. And you have to be online. And services using it need extra network configuration to allow access. And if you can't narrow it down to a single ip/block you have a service with full network access just to reach out to a KMS.

lvhOP6y ago

KMS historical downtime is pretty great, rate limits have been bumped quite a bit to the point where I seriously doubt you're hitting them for secrets management, I'm not sure you can do a lot of useful things with most secrets while you're offline, KMS has a VPC endpoint and an Internet endpoint, so you can do both variants of the tight network scoping you want.

(And, again, age once that's around :-))

wbl6y ago

How do you turn on the online system?

lvhOP6y ago

KMS is a service, it’s already on.

j / k navigate · click thread line to collapse

0 pointslvh6y ago0 comments

what's wrong with an online system managing the secrets? KMS is great, and makes it easy to separate decrypt from encrypt permissions.

(KMS is not the only option! I'm just trying to eke out why you think that's valuable. For example, I think age, mentioned in the blog post, is a direct replacement?)

0 comments

viraptor6y ago

lvhOP6y ago

(And, again, age once that's around :-))

wbl6y ago

How do you turn on the online system?

lvhOP6y ago

KMS is a service, it’s already on.

j / k navigate · click thread line to collapse