Thanks brolly33 for sharing the new HCL Ideas Portal!
If you are are in favor of improving secure action parameters to …
Encrypt once to thousands of machines versus needing to spend root server cycles encrypting the same thing 1000s of times over uniquely for each client (in the client mailbox approach).
Encrypt anything, not just limited to passwords. Think keys, passphrases, files, licenses, etc.
Ability to target groups, not limited to specific individual machines.
Ability to target machines that are not yet created via dynamic groups and policy actions (very helpful in automated build scenarios).
It would be useful if we had better examples of how to do this. Would be helpful if you could provide any. Any encryption done with a secret that is shared among many possible clients is always going to be less secure than a solution that is endpoint specific, but sometimes that is an acceptable risk. One potential option would be to manage this through site subscription and site files, in which you have access to the decryption key by syncing the site to the endpoint. Ideally even in this case it would be best if there was a hard coded password that was required in addition to the private key file in the site.
You can do a lot with custom use of OpenSSL, but it would also be interesting if there was an easy way to encrypt arbitrary data on the endpoint using the masthead public key such that it could only be decrypted with the root server private key. I’ve looked into this a few times but never really got anywhere.
Another option is encrypt data with the Client public key such that it can only be decrypted with the Client private key.