Hi,
First of all looks like an amazing project so thanks!
You mention key rotation but I think I might have misunderstood what you're talking about.
Let's say I have a symmetric key and I want to change it, in a CD environment there is a short period where you need to support two keys. How does KeyWhiz fit in there? If it doesn't I'd really like to understand what you meant
I'd love to hear from some of the team who built this about differences between Keywhiz and Keyczar, which to my mind was the best-practice open-source cross-platform solution to date (i.e. if you're not relying on things like AWS Cloudformation config or Heroku config vars to "manage" secrets).
Obvious pieces to me appear to be (1) roles and auditability (2) end-user front-end (3) filesystem interface & associated ease of access for various services. But I'm not an expert!
Keyczar is meant to solve a different problem. It’s meant to be a simple programmatic API for crypto operations, while being high-level and excluding unsafe options. NaCl (http://nacl.cr.yp.to/) has similar goals to Keyczar.
Keywhiz isn’t an interface for software to do crypto. Rather, it’s a system to manage the secrets/keys used for crypto and making them available to the services that need them. It doesn’t explicitly look at the content of secrets, unless a plugin is used.
Filesystem interface just by itself is a big difference.
Keywhiz lets you manage things like mysql or other configs which might contain things like username/passwords, passwords to unlock certificates, API keys, etc. If you don't have the resources/option to modify applications to use a specific API, the filesystem might be your only viable solution.
Bletchley is actually a different piece of our infrastructure: it protects keys by storing them in hardware, whereas Keywhiz is aimed at distributing the secrets that apps really need (API tokens for 3rd party services, eg).
[+] [-] joe9876123|11 years ago|reply
[+] [-] ispivey|11 years ago|reply
Obvious pieces to me appear to be (1) roles and auditability (2) end-user front-end (3) filesystem interface & associated ease of access for various services. But I'm not an expert!
[+] [-] sul3n3t|11 years ago|reply
Keywhiz isn’t an interface for software to do crypto. Rather, it’s a system to manage the secrets/keys used for crypto and making them available to the services that need them. It doesn’t explicitly look at the content of secrets, unless a plugin is used.
[+] [-] amenghra|11 years ago|reply
Keywhiz lets you manage things like mysql or other configs which might contain things like username/passwords, passwords to unlock certificates, API keys, etc. If you don't have the resources/option to modify applications to use a specific API, the filesystem might be your only viable solution.
[+] [-] christop|11 years ago|reply
[+] [-] emerose|11 years ago|reply
We presented Keywhiz at Baythreat in 2012: http://www.baythreat.org/2012/speakers.html I'm not sure if that was recorded, though.