The setup process is a bit cumbersome, especially regarding key management (there are of course very good reasons it is). I was wondering if it would be possible to use pre shared keys instead, maybe using TLS-PSK, where you just generate one shared key and upload it to all the nodes and clients ?
Yes, you can generate two shared keys (one for nodes and one for clients) and reuse them if you want. The one catch is that the node certificate must contain the hostnames or IP addresses of all the nodes. The easiest way to do this is with DNS aliases:
cockroach cert create-node --certs-dir=certs --ca-key=ca.key node1.something node2.something node3.something node4.something...
Fill in more node host names than you’ll need, and then you can assign those DNS aliases to new nodes as you add them.
This has some security downsides, mainly that if the shared key gets out of your control you’ll have to replace all your keys at once. However, since we don’t yet have support for certificate revocation, this is only a theoretical concern at the moment.
Additionally, since you’ll be storing and copying the shared keys somewhere, you’ll have to be very careful with the security of that storage and make sure that you only copy the keys to the right places. (This is similar to the security needs of the CA key and the process for signing new certificates if you’re following the per-node key model, though).
Note that TLS-PSK refers to something a bit different. It’s a different key exchange protocol for symmetric keys. We don’t support that, so here we’re using the regular TLS key exchange protocol with keys that happen to be reused.
Thanks, that’s an interesting solution. You still have to manage a CA and node names (kind of) though. What I understood of TLS-PSK is that you just have one key that you put everywhere, as if you distributed the ca key on all nodes and let them manage certificates.
But I think your approach of having one clear and complete secure mode and one clear insecure mode is the right one.