andaryjo
commented
1 year ago Would this be a dedicated driver or maybe just a feature for existing drivers? Besides the "local" AES secret driver, our cloud provider drivers could implement this as well (at least GCP KMS supports asymmetric encryption, not sure about Azure).
Problem For the AES secret driver I still need to have somehow securely share the key between all people that want to reveal secrets. The other drivers require using a cloud provider.
Solution I would like to be able to configure some public keys in the skipper config and then encrypt secrets using all those public keys. Each one of the corresponding private keys can decrypt the secrets.
This way every participant only has to add their public key to the repository and no secret material needs to be exchanged.
Possible solutions could e.g. integrate gpg, age or sops.
Additional context After changing the public keys, you should be able to reencrypt all the keys. Maybe even support to automatically rotate the secret if a public key was removed. Could be implemented in a separate PR/Issue.