Automated Key Rotations In a Continuous Deployment Pipeline

Sammanfattning: Background. To the best of our knowledge, there is no related work that brings up key management in Continuous Deployment. Most of the previous research within the area handles challenges and how to apply to continuous methods. Objectives. By performing this research our goal was to determine how to apply automated key rotation as a way of improving the security in a Continuous Deployment pipeline. We also wanted to compare a manual way of rotating the keys compared to an automated way. When comparing these different scenarios to a scenario where no key rotation was active we hoped to reach a conclusion of whether it is worth implementing automated key rotations in a CDE pipeline or not. Methods. By configuring different tools like GitLab, GitLab-Runner and Vagrant we created a working test pipeline. Since manual key rotation can be implemented in the CDE pipeline, the goal was to create a script that could automate the same process. In our tests we focused on the keys between GitLab and GitLab-Runner. Our tests consisted of comparing three different scenarios, a pipeline with: no, manual and automated key rotations. The three different scenarios where compared on 7 factors to help us reach a conclusion of whether automated key rotations was worth applying as a way to improve the security in a CDE pipeline. Results. With the help of tools like cURL and sshpass we managed to automate the key rotation. When we measured the different processes between no, manual and automated key rotations, the result showed us that the automated process has an average time of 1.6 seconds run time and 1.14 seconds average of server downtime. The run time is 70 times faster than the manual key rotation and has 5 times less average server downtime. Conclusions. We came to the conclusion that it is possible to use key rotation and keep the CDE process fully automated. It makes the process safer but also have the side effect of server downtime.