Research Spike: Notary Key Management

Purpose

We need to define our strategy for Notary Key management in the context of Vault. Right now, we have the resources available to us to complete the implementation of Notary in the pipeline, but there are still a number of key architectural decisions we need to make.

Questions to answer

• How do we handle the initial generation of the CSR that we pass off to the Vault PKI team? We need to ensure this key remains secure/isn't floating out on someone's workstation and is only ever usable by people who NEED to use it.
• How do we retrieve the delegation keys from Vault at pipeline runtime?
  • This involves obtaining a Vault Key for use in the pipeline and network connectivity to the Vault cluster
• How to we provide Notary GUN initializers (container approvers?) with access to the root key when we add a new vendor/product/container?
• How do we handle target keys in light of Vault? Do we just use the same target key repeatedly and store it in Vault?

Blockers to implementation

1. We currently don't have API access to Vault
2. We currently don't have any networking set up at all between us and Vault
3. Currently CSRs are provided via Jira ticket. That means someone has to generate a root key on their machine to produce the CSR to submit. We don't want that.