As another point of reference an HTTP load balancer that mailgun built and uses, called vulcan[1], uses secretbox[2] to encrypt secrets into etcd. There are no good docs on how to use this in practice with vulcanctl so I will need need to ask them to document that :)<p>[1] <a href="https://github.com/mailgun/vulcand" rel="nofollow">https://github.com/mailgun/vulcand</a><p>[2] <a href="http://godoc.org/code.google.com/p/go.crypto/nacl/secretbox" rel="nofollow">http://godoc.org/code.google.com/p/go.crypto/nacl/secretbox</a>
Awesome project, thanks for sharing.<p>Looks like it takes a similar approach as the hiera eyaml project (it also encrypts on a per-key basis using gpg) which I've found to be really nice to work with in the past (as opposed to other tools that use symmetric encryption or encrypt the entire blob of all secret keys together). Glad to see a tool that does this with etcd and consul, gives the same benefits without a centralized puppetmaster.<p>Any plans for clients in other languages? Or if you're not planning to build would you accept PR's for them?
I had always wondered how these service discovery tools handled the encryption of data you put in them. I guess now I know! :)<p>Before this was created were people just doing an encrypt/decrypt on in/out in their application code?