In a previous post, I described a use case for customer provided keys with Vault. One of the implications of this was the need for decryption after a bulk data export. In that post, I gave a concrete example of decrypting Vault ciphertext directly with a customer provided key. However …
Atomically Idempotent
Recently, I was analyzing some initialization code in Go with a teammate. The value being initialized was meant to be used in concurrent Go, so initialization had some requirement of atomicity. The code essentially boiled down to:
func (t *T) Start() {
if atomic.LoadInt32(&t.State) == Started {
return // Early Exit …Importing External Keys into Vault
Contents
Motivation
To understand why it's helpful to import external keys into Vault, it's important to understand
- How and why encrypted data is stored in databases
- How Vault provides features that aid in encrypting and decrypting data
- Reasons for data …
Fixing the Custom CA Problem in Node.js
TL;DR: Using the
cafield to specify custom CAs (certificate authorities) in Node.js is a footgun. It replaces (rather than appends to) the root trust store which can lead to unintended consequences. I've seen this behavior cause outages in production when a third party server does a routine …
The Node.js CA Footgun
This is a story of a brief outage caused by a slightly unintuitive API1 that has some very sharp corners for the uninitiated. The outage, though brief, was of the "wake up at 4am" variety so the lesson was especially salient.
This is not a post trying to tear …