I'd consider storing (generating) them in AWS KMS. It's $1/key/month and you don't have to worry about hardware failures, etc. Each key must have a separate policy attached which controls who it can be used by and how. It is possible to create keys the root account cannot touch. If you have anything running on EC2, it's an extremely compelling option because you can authenticate directly via IMDSv2 tokens and IAM roles, avoiding the need for any kind of secret strings.

▲

palata 16 hours ago | parent [-]

Not sure I get that. If you generate it "in the cloud", doesn't it mean that someone else (the cloud) has access to it?

▲

bob1029 16 hours ago | parent [-]

It really depends on what you are trying to optimize for.

If you are doing something illegal or controversial with the key, then yes it would be foolish to store it in the cloud.

If your main concern is it becoming compromised due to a local exploit or physical breach, then I'd argue it is a strong option.

	▲	palata 15 hours ago \| parent [-]
		> If you are doing something illegal or controversial with the key, then yes it would be foolish to store it in the cloud. "Not trusting a private company" does not equate to "doing something illegal or controversial", though.