Marco "Ocramius" Pivetta
@ocramius.mastodon.social.ap.brid.gy
OSS maintainer, Laminas, Mezzio, Roave, previously ZendFramework, Doctrine (ORM) Project.
IT Consultant / software architect for a living.
Daily curse of @nyunyu
[bridged from https://mastodon.social/@ocramius on the fediverse by https://fed.brid.gy/ ]
IT Consultant / software architect for a living.
Daily curse of @nyunyu
[bridged from https://mastodon.social/@ocramius on the fediverse by https://fed.brid.gy/ ]
@emd @jclermont an assignment in a conditional? I think not 😜
November 5, 2025 at 1:55 AM
@emd @jclermont an assignment in a conditional? I think not 😜
I perhaps found a middle-ground in letting the hypervisor provision the keys to be mounted: it ain't pretty, but it allows me to make the entire provisioning completely declarative, without the private keys leaking out to the provisioner
![terraform {
required_providers {
ssh = {
source = "loafoe/ssh"
version = "~> 2.7.0"
}
}
}
variable "key_names" {
type = set(string)
default = ["key1.txt", "key2.txt", "key3.txt"]
}
variable "target_host" {
type = string
}
resource "ssh_resource" "make_key" {
for_each = var.key_names
host = var.target_host
user = "root"
agent = true
timeout = "30s"
commands = [
"age-keygen -o ${each.value} || true",
"age-keygen -y ${each.value} | xargs",
]
}
output "produced_keys" {
value = {
for key, instance in ssh_resource.make_key : key => trim(instance.result, "\n")
}
}](https://cdn.bsky.app/img/feed_thumbnail/plain/did:plc:hoib2uszi3lqjc6qba2q3fnx/bafkreifjidq25zls2usbgl4cosryetrjl676xfdlwwp4awnifx5gqjyvue@jpeg)
November 2, 2025 at 3:30 AM
I perhaps found a middle-ground in letting the hypervisor provision the keys to be mounted: it ain't pretty, but it allows me to make the entire provisioning completely declarative, without the private keys leaking out to the provisioner
But then... if one has access to the hypervisor, they also have access to the VM disks, and can introspect their keys.
That means that sharing the keys with the hypervisor (or not) makes no difference.
Encrypted disks make no sense in a virtualized environment, since the decryption key would […]
That means that sharing the keys with the hypervisor (or not) makes no difference.
Encrypted disks make no sense in a virtualized environment, since the decryption key would […]
Original post on mastodon.social
mastodon.social
November 2, 2025 at 1:30 AM
But then... if one has access to the hypervisor, they also have access to the VM disks, and can introspect their keys.
That means that sharing the keys with the hypervisor (or not) makes no difference.
Encrypted disks make no sense in a virtualized environment, since the decryption key would […]
That means that sharing the keys with the hypervisor (or not) makes no difference.
Encrypted disks make no sense in a virtualized environment, since the decryption key would […]