Knox: Dealing with Secrets at Scale

Presented at THOTCON 0x7 (2016), May 6, 2016, noon (50 minutes)

Key management is a fundamental piece of security infrastructure. As companies scale, the number of different API secrets, cryptographic keys, passwords, and other secrets values grow at an increased rate. These secrets need to be stored in a way that provides confidentiality and integrity, and that developers can understand and use. Additionally, in any organization, potential breaches will happen and secrets will need to be changed and rotated, but mechanisms for supporting proper cryptographic rotation (such as that built into keyczar) are unsupported. Knox is the first open source project that combines these two important pieces of functionality into one system. It also provides strong operationability, as well as ease of use for developers. During the presentation we will compare to existing solutions for storing keys/secrets including Vault and Keywhiz. Knox is a service built by and used at Pinterest. Knox provides confidentiality and integrity for secrets and fits into a micro service systems architecture. It also provides important best practices for handling failure such as rotation capabilities for all keys and better operationability features. Knox will be open-sourced in early 2016.


  • Devin Lundberg
    Application Security Engineer @ Pinterest. Previously researched aircraft security @ UCSD. Contributor to keyczar.

Similar Presentations: