How to secure configuration management server

Question

There are many configuration management software options nowadays (Chef, Puppet, CFEngine, Ansible...) which offer an architecture with their repository on a central server and clients communicating with the server using TCP/IP. This kind of architecture requires the whole network of clients to be able to communicate with the server and exposes the server to threats as it is a very promising target for any attacker.

As I understand it, the mentioned tools have a capability of signing the configuration items using private key cryptography. However the signing keys are server's keys and they are stored on the server. If the configuration management server gets compromised the whole network can be considered compromised.

Is there a way to avoid the risk of an equation compromised server=the whole network compromised?

What comes to my mind is signing the configuration prior to uploading it to the server by a personal private key. Every administrator would have his own.

Does any common configuration management solutions offer such a functionality or is there a different way to mitigate the risk mentioned above?

Answer 1

What comes to my mind is signing the configuration prior to uploading it to the server by a personal private key. Every administrator would have his own.

This is essentially what secrets-at-rest style solutions such do (list at the bottom), but they normally run on the master. Thomas A. Limoncelli basically argues that, yes, the master is still the SPOF with regards to the secrets, but if you have root access to that box to get the codes in the first place, you're already pretty stuffed: you could just use the master to do whatever you wanted anyway.

However, with a bit of tooling, you could modify your configuration management code so decrypt's the secrets during every tool run with a passwordless trusted GPG or similar.

With Puppet there's also node_encrypt, which encrypts based on the agents certificate. I'm sure there's similar solutions for other tools.

Daniel Somerfield has a really good talk about this called "Turtles all the way down" summarising the different tooling, with a follow up example code and review of the different methods.

List of various secrets at rest solutions

• git-crypt: https://www.agwa.name/projects/git-crypt/
• Pass: http://www.zx2c4.com/projects/password-store/
• Transcrypt: https://github.com/elasticdog/transcrypt
• Keyringer: https://keyringer.pw/
• git-secret: https://github.com/sobolevn/git-secret