Can you keep a secret?

Transcript

1. Can you keep a secret? Using R to encrypt and

   share secrets Andrie de Vries Senior PM, Data science lead, Microsoft @RevoAndrie UseR!2017, Brussels

2. Andrie de Vries 2 CRAN packages: • ggdendro • sss

   • miniCRAN • checkpoint • secret StackOverflow: andrie Twitter: @RevoAndrie github.com/andrie

3. What secrets do you keep?

4. • Database connection • Cloud service authentication • API keys

   • ??? Secrets 4

5. How can your secrets leak?

6. None

7. 68ef5aa9196142799d10bedd43f8254c 49291aae0d8f4904a4af53a8d581c907 Secrets in plain text in script !!!

8. • Sharing secrets in plain text • Files / email

   • Inadvertent leaks from R • .History • .Rdata • Other inadvertent leaks • Private github projects that become public (Inadvertently) leaking secrets

9. How can you prevent leaks?

10. • Plain text file outside your project • Won’t go

    into version control • But not secure • Encrypted file outside your project • Difficult to share • Encrypted file inside your project Options for preventing leaks But how do you share the secret with your collaborators?

11. Public key cryptography

12. Alice generates a key pair Source: https://en.wikipedia.org/wiki/Public-key_cryptography Command line (ssh-keygen)

    or GUI tools, e.g. PuttyGen

13. Bob wants to share a secret Source: https://en.wikipedia.org/wiki/Public-key_cryptography Bob encrypts

    using Alice’s public and his own private key

14. Alice can read the secret Source: https://en.wikipedia.org/wiki/Public-key_cryptography Alice decrypts secret

    using her private key

15. Public key cryptography Source: https://en.wikipedia.org/wiki/Public-key_cryptography The combination of private /

    public keys give the same secret

16. • Every user has a private / public key pair

    • Share public keys in the open • Encrypt secrets with: • Your private key • The counterparty’s public key • Decrypt using your private key Summary

17. But how do you do this with R?

18. • On CRAN now • Published 2017-06-17 • https://cran.r-project.org/package=secret •

    Maintainer: Gábor Csárdi • Functionality • Create a vault • Add users • Encrypt and decrypt secrets • Share secrets Use the `secret` package Gábor Csárdi

19. • Encrypt a secret to use on different machines •

    Encrypt SQL server credentials • Develop locally or in Data Science Virtual Machine, then deploy in Azure • Encrypt a secret to share with team • Use github or Visual Studio Team Services for version control • Encrypt secret to use with continuous integration • Use github for version control • Automatically start Travis job on push Use cases

20. Demo

21. • The demo is based on the package vignette •

    https://cran.r-project.org/web/packages/secret/vignettes/secrets.html Demo

22. Conclusion

23. If you use windows, you most likely created your keys

    using PuttyGen. • Note that the key created by PuttyGen is not in OpenSSH format. • Convert the format with PuttyGen – use /Conversions/Export OpenSSH key Note that the folder ~/.ssh in Windows usually expands to C:/Users/YOURNAME/Documents/.ssh. You can find the full path by using: normalizePath("~/.ssh", mustWork = FALSE) ## [1] "C:/Users/adevries/Documents/.ssh" Note for Windows users

24. • CRAN • https://cran.r-project.org/package=secret • Github • https://github.com/gaborcsardi/secret • Vignette

    • https://cran.r-project.org/web/packages/secret/vignettes/secrets.html Resources