In dcoker/biscuit#1, a confidant contributor asserts biscuit is wrong about confidant being HA and multi-region. The maintainer of that project asked for some clarification, but it appears that got lost. (No judgement -- lord knows my inbox is a war zone sometimes.)

I grepped the documentation and the GitHub repo, and while multi-region and HA is mentioned, there doesn't appear to be any particular documentation on how to set that up.

HA is built-into the system assuming you're utilizing AWS. The confidant web service is stateless, using dynamodb for its state and KMS for the encryption/decryption and authentication. As long as you run more than one confidant web server and you run them behind an ELB, it's HA. It's possible to lose entire AZs without any form of downtime.

Multi-region is a bit more involved to discuss, and depends on how you use confidant.

1. If you want your secrets to be specific to each region, then it's a matter of running confidant in each region and updating the secrets in each. I'd imagine this isn't the type of multi-region most people want/expect, which is some form of replication.
2. If you're using only blind credentials, then the multi-region story is pretty similar to biscuit, because the encryption happens on the client side. The caveat here is that you need to replicate the dynamodb data from one region to the other, which you can do with dynamo streams.
3. If you're using normal credentials, then you need to replicate the dynamo stream, decrypt secrets using the key from one region and rencrypt them using the key from the replicated region. This is something we should provide tooling for.
4. If confidant itself is allowed to cross-region, you can have the confidant web services run in one region while accessing dynamo and kms from the other region.

The downside to both blind credentials and biscuit's approach to multi-region is that if you need a secret to be usable in more than one region you need to encrypt the secret with all the regions' KMS keys up-front. If you want to add another region into the mix later, you need to decrypt/reencrypt each secret to be made available in each region.

Thanks! That helps a lot.