Security: manual Installation and self-signed Keys

I think the perspective on installing software has changed quite a bit in the industry. Manual setup - especially for something complex like a cluster - is considered not only too time-consuming, but also insecure. It’s fine for testing things out, but in production you want your infrastructure to be immutable. Meaning that if it breaks or is compromised, you don’t fix it, you re-create it from scratch. And you don’t depend on manual steps, as they are not repeatable and prone to social hacking.

In that vein there is work to be done in CockroachDB with respect to installing a secure cluster. It must be possible to use industry-standard certificates from Letsencrypt and other CAs, which will remove the need for generating a custom CA key and certificate that must be safeguarded and can’t be integrated in an automated workflow.

Obviously, this is just my opinion and not a rule of the universe. So I welcome differing opinions and arguments why the status quo is secure enough for production.

Ulrich

1 Like

We absolutely agree that in the long run, people won’t be deploying CockroachDB clusters manually. They’ll be using tools like Kubernetes, Puppet, NixOps, Terraform, etc, etc. But manual deployment is the basis on which all those other integrations are built and must come first. Some of these deployment options have integrated CAs; for others the solution may be to run something like Vault. This is an evolutionary process in which both Cockroach Labs and members of the community will work to establish best practices for deploying CockroachDB in different environments.

Note that Letsencrypt is not the solution here: Letsencrypt is a CA designed to issue certificates for public user-facing servers, but your database should generally be behind a firewall. The solution might be an internal version of Letsencrypt using the same software and protocols, but not Letsencrypt itself.

Letsencrypt is explicity meant for intranet sites as well. That is the reason why they introduced challenges that do not need to penetrate a corporate firewall, such as the DNS challenge. Their position is that you should adhere to the same security practices inside your own network (which might have internal attackers) as outside.

Proprietary CAs and self-signed keys appear to me to be a workaround used, if “real” ones cannot be sensibly obtained. That certainly was the case for many years, when certificates were expensive and you could not automatically acquire and renew them - a no go for intranets with potentially hundreds of hosts.

Ulrich

1 Like