From e7cd3afe17ada16c495d099e3055fc8e0eb3b7b7 Mon Sep 17 00:00:00 2001
From: Jean-Paul Calderone <exarkun@twistedmatrix.com>
Date: Fri, 2 Jul 2021 09:55:58 -0400
Subject: [PATCH] some words about key locations

---
 morph/README.rst | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/morph/README.rst b/morph/README.rst
index f4392611..96d03eb3 100644
--- a/morph/README.rst
+++ b/morph/README.rst
@@ -59,6 +59,9 @@ An exception is the ``private-keys`` directory in the ``local`` morph grid:
 That directory is fully populated, provided as an example, and mostly: not very secret.
 Do not deploy these keys to machines reachable via the internet.
 
+Strictly speaking,
+this path is configurable in the grid's ``config.json`` but all three grids currently use this name.
+
 public-keys
 ~~~~~~~~~~~
 
@@ -67,6 +70,29 @@ This must be created and populated before the grid can be built or deployed.
 This directory contains any public key material necessary for operation of the grid.
 This includes the public keys corresponding to any private keys held in ``private-keys``.
 
+As for ``private-keys``,
+this path can be configured in the grid's ``config.json``.
+
+Star-crossed Keys
+^^^^^^^^^^^^^^^^^
+
+Where the system uses keypairs,
+the public and private parts of those keypairs are stored in different locations
+(``public-keys`` and ``private-keys`` mentioned above).
+This somewhat complicates key management because any key rotation involves changing key material in two location instead of just one.
+
+This complication is balanced against a specific operational goal:
+that our build systems operate without copies of our private keys.
+Our system configurations do currently have build-time dependencies on public keys.
+
+Splitting public keys and private keys across two different storage locations provides a simple mechanism for providing build systems with the public keys but withholding the private keys.
+
+In the future we may:
+* be sufficiently confident in the security of our build systems to let them have our private keys; or
+* remove the dependency upon public keys from the build process.
+
+Either of these directions would let us re-unify public/private-key storage and remove this complication.
+
 config.json
 ~~~~~~~~~~~
 
-- 
GitLab