Keep it Secret, Keep it Safe

Keep it Secret, Keep it Safe

Managing passwords in userland is tricky enough, but clever tools like 1Password and LastPass have made it easier than ever to protect our social media accounts. Two-factor authentication tools have made us safer still by preventing even weak password from being easily bypassed. Unfortunately, none of this helps us with passwords and credentials in our code.

First, we’ll define the threat models that affect secret data within our PHP apps – and how this sensitive information could be exploited. Then, we’ll survey the landscape of tools available to manage secrets safely so our data stays secure. Finally, we’ll work through the code required to tie everything together and keep our access keys both secret and safe from nefarious third parties.

46093583d8895095adb1b0071c505af2?s=128

Eric Mann

June 02, 2017
Tweet

Transcript

  1. KEEP IT SAFE @ERICMANN

  2. • • • •

  3. • • •

  4. • EXPOSED THE DOCKER REGISTRY FOR VINE TO THE PUBLIC

    • •
  5. • • •

  6. None
  7. None
  8. • • • • •

  9. None
  10. • • • • •

  11. • •

  12. $ pip install credstash $ credstash setup $ credstash put

    database_connection_string mysql:dbname=testdb;host=127.0.0.1 $ credstash put database_user user $ credstash put database_pass password
  13. composer require gmo/credstash

  14. <?php require('vendor/autoload.php'); $sdk = new Aws\Sdk($config); $credstash = CredStash\CredStash::createFromSdk($sdk); $dsn

    = $credstash->get('database_connection_string'); $user = $credstash->get('database_user'); $pass = $credstash->get('database_pass'); $dbh = new PDO($dsn, $user, $pass);
  15. • • •

  16. None
  17. • • • • •

  18. • • •

  19. # .env DATABASE_CONNECTION_STRING="mysql:dbname=testdb;host=127.0.0.1" DATABASE_USER="user" DATABASE_PASS="password" # .gitattributes .env filter=git-crypt diff=git-crypt

    # .env ^@GITCRYPT^@<84>±<9b>ÅÛ4^M$<9a><9f><8d>Y<87><89>"-^Cb¦@T<90>¬ ÉL%s^^_^Yð^AY<84>^[ÿ³ú}È<- ÞG/{OXTé¹¾<87>Ôï3c<93>_IpÀjñA^_µÅ^T<88>îm]ëk^Txbq¢^E^DÐËSªJ8³{öRè_|":6~ ¥ý<90>^Nóp¢ô^R2X^US ^VÓÀ¾£ú¤ $ brew install git-crypt $ cd ~/project $ git-crypt init $ git-crypt add-gpg-user 715376CA
  20. <?php require('vendor/autoload.php'); $dotenv = new Dotenv\Dotenv(__DIR__); $dotenv->load(); $dsn = get_env('DATABASE_CONNECTION_STRING');

    $user = get_env('DATABASE_USER'); $pass = get_env('DATABASE_PASS'); $dbh = new PDO($dsn, $user, $pass); $ git-crypt unlock
  21. • • •

  22. None
  23. HASHICORP VAULT • • • • •

  24. ANSIBLE VAULT • • •

  25. DOCKER SECRETS • • •

  26. • • • • •

  27. None
  28. • • •

  29. • • • •

  30. • HASHICORP'S BLOG • FUGUE'S BLOG • AWS KEY MANAGEMENT

    SERVICE • PARAGON INITIATIVE'S BLOG • TOZNY'S BLOG
  31. KEEP IT SAFE @ERICMANN - TOZNY