What does HackerNews think of keywhiz?

A system for distributing and managing secrets

Language: Java

HashiCorp Vault - is big in Secrets management but its not the Terraform of Secrets management it's just too easy to make another product.

AWS Secrets Manager

AWS Systems Manager Parameter Store

AWS KMS

Google Cloud KMS - Cloud Key Management System

Azure Key Vault

confidant - https://lyft.github.io/confidant

keywhiz - https://github.com/square/keywhiz

knox - https://github.com/pinterest/knox

strongboxsafe - https://strongboxsafe.com

conjur - https://www.conjur.org

+ many more

Ansible Vault - probably not competing directly

I am pretty sure companies like netflix, facebook, uber, tesla and others are probably using their own in house creations.

This doesn't deal with user keys at all -- we use Kerberos for users to log in. This is just an SSH CA for server certificates. We could extend it to users, if we had a way to identify them.

We have an existing x509 trust infrastructure, where keys are distributed with Keywhiz (https://github.com/square/keywhiz). That's why we started with having hosts identify themselves with x509 client certs. We will deploy sharkey-client to all hosts, and it's automatically issued an x509 client cert.

The primary purpose of this service is to allow us to move to short-lived SSH Host certificates. Instead of issuing a single permanent certificate at host imaging time, we have a client running on every server that's fetching fresh host certificates all the time.

When you say "simply automating the signing of ssh server certs", what differences do you mean from this? Because that's what this is -- automating the signing of ssh server certs.

Your last sentence is pretty much spot on: We use x509 everywhere, but want to use stock SSH. We also didn't use our existing secrets distribution because we wanted to decouple SSH from the rest of our infrastructure

Square [https://squareup.com/careers] | INTERNS, FULLTIME, VISA, ONSITE | San Francisco, New York & other cities.

I'm an engineer on the infosec team and if you are interested in any aspect of security (from hardware/low level stuff to backend infrastructure, writing secure web applications, Android/iOS, etc.) you should consider talking to us! We do have open positions in other teams too.

Some of the things we build get open sourced, for example: https://github.com/square/keywhiz, https://github.com/square/go-jose, https://github.com/square/js-jose, etc.

Feel free to ask me any questions (email in my profile).