[mtsmith85]

Coincidentally Coda Hale's sneaker (https://github.com/codahale/sneaker) just popped up in my Twitter feed earlier. Sneaker stores the secrets on S3. Keywhiz stores the secrets in a central database and then ephemerally on the client servers. I guess if you started with something like sneaker on AWS using Amazon's KMS you could then move to Keywhiz if you eventually moved out of AWS.

[joshpadnick]

I appreciate that you posted this. My first thought when seeing this was "Why all the fancywork when we can just use S3?"

Keywhiz uses KMS to encrypt config data and then put it in DynamoDB. This means that access to Keywhiz-managed keys is ultimately mediated by access rules around who has access to the KMS key used to encrypt the secret.

With an S3-based solution, either Amazon can manage the keys for you and you use IAM Roles to mediate access (which I find to be a cleaner solution, personally, though open to other perspectives), or you can use KMS keys in S3 and then we're back to access being mediated by KMS keys, plus IAM roles, but without a DynamoDB table to manage or pay for (i.e. S3 will be super cheap b/c secrets occupy so little space).

I still appreciated the OP's intro to KMS, which I found insightful.

[toomuchtodo]

You'd probably still want to use Sneaker until you were massive, even if you moved out of AWS. S3 provided tremendous value compared to its costs (3 cents/month/GB for storage, requests are cheap as well) compared to EC2.

[kingryan]

Though the sneaker page makes it very clear that its not ready for production use.

[bri3d]

I don't think "Keywhiz should be considered alpha at this point" really screams production ready, either. For me, the Sneaker README's detailed enumeration of which threat models had been thought over really helped inspire confidence, as did the acknowledgement that no professional cryptographers had evaluated its soundness (most people just ignore this idea and rampage onwards unencumbered by reality). I believe that both are probably better than storing plaintext keys and passwords at rest in Git or on developer machines.