How to create a public key store for microservices?

Question

I implemented a set of microservices in a docker enviornment. And each of these services communicate with each other using JWT tokens. When service A calls to service B

1. Service A, sign the token using his private key and pass to service B
2. service B, gets the public key of ServiceA from a public key store and verify the token

Public/private key generation process is done by microservices itself and then they will pass the public key to the public key store. So the only thing that the public key store has to do,

1. Store public keys send by services
2. Send correct public key to services on request

What I am going to do is similar to what shows in this diagram.

I got above image from: https://www.youtube.com/watch?v=dBdZrw2pPvc&t=462s

So my problem is, are there any standard implementation of this kind of public key stores? If so what are they?

Answer 1

Disclosure: I am the CTO of Conjur.

Consider the workflow:

1. A container of Service A starts up.
2. It generates a new key pair.
3. It submits the public key to the public key store.
4. The public key store receives the public key.
5. The public key store associates the public key that it has received with the identity "service-a".
6. Service A signs a request to Service B.
7. Service B asks the key store for the known public key(s) of Service A.
8. The key store provides the public key(s).
9. Service B verifies the signature matches one of the keys.

The public key store must be sure to:

• Store the public keys in a tamper-proof way.
• Associate each public key to a service identity in a way that is also tamper-proof.
• Provide some way for administrators to manipulate the key store (e.g. deroll keys of dead containers).
• Keep an audit record of everything that's happened.

But there's also another bit that is pretty hard. In step (5), when the key store receives the key for Service A, it needs to verify that the key is actually coming from Service A, and not from an imposter. In other words, it has to authenticate the request.

How you do this depends on the details of your infrastructure. If you are using raw Docker (as opposed to say, Kubernetes), you can use an agent on the server to correlate the IP address of the container to the container list (docker ps) on the machine. This will tell you the image of the container, which should tell you the identity of the service.

There is a lot of subtlety to this problem, and the solution is somewhat different for each container environment.

Answer 2

If security is not important:

• Redis: https://redis.io/
• Consul: https://www.consul.io/
• Etcd: https://coreos.com/etcd
• Zookeeper: https://zookeeper.apache.org/

If security is important:

• Vault: https://www.vaultproject.io/
• Conjur: https://www.conjur.com/
• Thycotic: https://thycotic.com/
• Docker Secrets: https://docs.docker.com/engine/swarm/secrets/

Honestly there are a bunch more options, but these are some of the most famous and vetted by the DevOps community.