Group encryption


An approach for sharing a vault across a team would be:

ssh-vault is not properly designed for group/broadcast encryption, therefore, this approach may not be the best depending on your security requirements.

Have each group member own a public/private key pair.

Make a new group key pair and send it to each member within a vault.

    ssh-keygen -t rsa -b 4096 -C "[email protected]"

Send the key pair to each member in a secure way:

    cat group_keys | ssh-vault -u alice create vault.ssh
    cat group_keys | ssh-vault -u bob create vault.ssh
    ...

To add a group member, send the key pair in a vault to it:

    cat /group/keys | ssh-vault -u newb create vault.ssh

To remove a group member, a new group key pair K need to be created and resend to the remaining group members.

comments powered by Disqus