Many services that run in Docker containers need to have highly sensitive secrets installed on them. Examples of this include SSL certificates and API keys. Services like Vault and Keywhiz were developed to manage secrets to central authority, however, most of these secret management services require a secret to be present. This presents a bootstrapping problem. To solve this, CloudFlare created PAL: a new tool for bootstrapping secrets in Docker containers.
PAL (Permissive Action Link, named after a tool used to prevent unauthorized detonation of nuclear devices) works by binding identity secrets to Docker containers and decrypting them at launch time through a service running on the host. Permissions require M of N authorization and are handled through a service called Red October. This allows you to simply and transparently bootstrap service-specific secrets.
In this talk I’ll describe the design and implementation of this service and how we use it at CloudFlare to protect secrets for our billing platform and private key infrastructure. We’ll also briefly discuss our plans to use PAL for password hashing and service authorization.