An object repository cluster's security is managed by cluster keys and certificates. It's a certificate authority. The private keys must be kept in some secure directory, with tight permissions and away from roaming eyes. Oh, and better have a backup of it, somewhere.

That doesn't mean that you have to pay some other company, to get your certificates for stasher. You create them yourself, with stasher's tools. You create them, and you keep them safe.

Cluster certificates create and sign node certificates. Each node in an object repository cluster is identified by its own, unique, node certificate.

When nodes in the cluster connect with each other, mutual authentication takes place, using their respective node certificates, which are signed by the cluster's certificates. Each node already has the cluster certificates, so they can verify the peer's certificate.

By default, after authentication concludes, each connection between the nodes is no longer encrypted. An optional setting sets encryption enabled permanently for connections with one or more nodes.

Put one of the nodes halfway across the world. Make sure that it has the “thou shalt not become a master controller” flag, and marked to use encryption. Mission accomplished: automatic offsite backup of your object repository.

Have a few of these offsite nodes, reachable by different networks. Hopefully, at least one of them is always connected to the cluster.

Cluster and node certificates expire, occasionally, just like SSL certificates. That's because they are SSL certificates, after all. But it's easy to renew them.

Public cluster certificates are just one of the objects in the object repository cluster. They are public, and are not a big secret. It's the cluster keys that get stored somewhere secure, and safe. For convenience, put them on a machine that's one of the nodes in the cluster. That makes updates of cluster certificates easier. stasher's administrative tools generates a new cluster certificate and puts it into the object repository cluster, in one command. The new certificate gets replicated to all nodes in the cluster, and becomes effective immediately.

A node certificate is no different. It's owned by each node, and is not accessible publicly, but the process is similar. It gets generated and signed on the machine with the cluster certificate's key. Then, the object repository node on that machine takes the newly generated cert, and transmits it to its connected peer, which takes and activates it (if the new certificate is for another peer, and not itself).

The node certificate's private key is, of course, not public information, and is kept private on the node itself. However, after all, all nodes in the cluster are one, big happy family, and are happy to do it, then immediately forget what they saw.