Rolling your own key management system is not to be taken lightly. I've done it, and you really, really only want to do it when you really know other systems won't work.
Yeah but this isn't rolling your own key management system. This is the stupid simple every machine/program has the same shared secret approach.
The difficulty is securing comms between components (assuming they can reach each other, just making sure that the payloads are secret) and making sure you don't leak secrets unintentionally (forgetting nonces) and all the other hard crypto things.
But, it's not impossible to make a reasonable to use fallback system that does this, just no one does because of fear of being mocked for not just accepting the pain and bad ergonomics of TLS.
Other systems do work, but they have the footguns mentioned in the article that everyone seems to hit.
The difficulty is securing comms between components (assuming they can reach each other, just making sure that the payloads are secret) and making sure you don't leak secrets unintentionally (forgetting nonces) and all the other hard crypto things.
But, it's not impossible to make a reasonable to use fallback system that does this, just no one does because of fear of being mocked for not just accepting the pain and bad ergonomics of TLS.
Other systems do work, but they have the footguns mentioned in the article that everyone seems to hit.