$30 off During Our Annual Pro Sale. View Details »

Pocket Protector: Secrets as Code

Pocket Protector: Secrets as Code

Announcing a bit of secrets management at Pyninsula #11.

Mahmoud Hashemi

March 27, 2018
Tweet

More Decks by Mahmoud Hashemi

Other Decks in Programming

Transcript

  1. Pocket Protector:
    Secrets as Code
    Mahmoud Hashemi • SimpleLegal
    March 2018

    View Slide

  2. Secrets?

    View Slide

  3. They come with the job.
    ● Terrible at parties!
    ● Super useful otherwise.
    ● Shared thousands of times a day!
    ● Changing all the time!
    Let’s make them work!
    We’ve all got one.
    ● Great for parties!
    ● Fun way to burden a friend!
    ● Share it once, regret it always!
    ● We all know what you did last summer.
    Try to forget!
    Family Secrets Dev Secrets

    View Slide

  4. Devs
    Need
    Secrets
    Database passwords
    API keys & tokens
    SSL certificate passphrases
    And more!

    View Slide

  5. Secret mismanagement
    Approach 1: Put them in the code
    The easiest and earliest form of integration. Hope you trust your host!
    Approach 2: Put them in the config
    A settings.py or config.json is no more secure than your code.
    And now you’ve probably got two problems.
    Approach 3: Put them in the environment
    You’re going to get tired of entering them, lose them, or both.

    View Slide

  6. Secret management
    Approach 1: Password managers
    LastPass, KeePass, etc. focus on the individual consumer and don’t work great for teams.
    Approach 2: Key management services
    Enterprise solutions like Vault and Hardware Security Modules (HSMs) don’t scale down.
    Approach 3: Encrypted source control
    git-crypt and friends scale down, but are cryptic to use and easy to misconfigure.

    View Slide

  7. There’s gotta be a better way!

    View Slide

  8. Pocket Protector
    ● Secrets as Code™
    ● Safely and explicitly manage secrets, in-repo
    ● State-of-the-art encryption
    ○ Argon2 (CPU+memory-hard pwhash)
    ○ curve25519 two-key
    ○ NaCl Secret Box
    ● Multi-user, multi-environment
    Pocket-sized secret management

    View Slide

  9. Pocket Protector concepts
    Domains: Namespaces
    Enables organizing keys by app and environment.
    Key custodians: Registered users
    Pocket Protector leverages your repo’s write protections capabilities.
    Anyone can write to the file, but presumably only authorized users can push.
    Key custodians have passphrases that will allow them to read from the file.
    Owners: Registered users with read access to a domain
    Adding a key custodian to a domain grants them read access to the secrets in that domain.

    View Slide

  10. Pocket Protector $ pip install pocket_protector
    ...
    $ pocket_protector init
    Adding new key custodian.
    User email: [email protected]
    Passphrase:
    Retype passphrase:
    $ pocket_protector add-domain
    Adding new domain.
    User email: [email protected]
    Passphrase:
    Domain name: dev
    $ pocket_protector add-secret
    Adding secret value.
    Domain name: dev
    Secret name: api_key
    Secret value: 5ca1ab1e
    $ pocket_protector decrypt-domain dev
    User email: [email protected]
    Passphrase:
    {
    "api_key": "5ca1ab1e"
    }
    $ git commit
    $ pip install pocket_protector
    ...
    Installation
    Doesn’t get much easier than:

    View Slide

  11. Pocket Protector $ pip install pocket_protector
    ...
    $ pocket_protector init
    Adding new key custodian.
    User email: [email protected]
    Passphrase:
    Retype passphrase:
    $ pocket_protector add-domain
    Adding new domain.
    User email: [email protected]
    Passphrase:
    Domain name: dev
    $ pocket_protector add-secret
    Adding secret value.
    Domain name: dev
    Secret name: api_key
    Secret value: 5ca1ab1e
    $ pocket_protector decrypt-domain dev
    User email: [email protected]
    Passphrase:
    {
    "api_key": "5ca1ab1e"
    }
    $ git commit
    $ pocket_protector init
    Adding new key custodian.
    User email: [email protected]
    Passphrase:
    Retype passphrase:
    Initialization
    Creating our protected file, with our first key custodian.

    View Slide

  12. Pocket Protector $ pip install pocket_protector
    ...
    $ pocket_protector init
    Adding new key custodian.
    User email: [email protected]
    Passphrase:
    Retype passphrase:
    $ pocket_protector add-domain
    Adding new domain.
    User email: [email protected]
    Passphrase:
    Domain name: dev
    $ pocket_protector add-secret
    Adding secret value.
    Domain name: dev
    Secret name: api_key
    Secret value: 5ca1ab1e
    $ pocket_protector decrypt-domain dev
    User email: [email protected]
    Passphrase:
    {
    "api_key": "5ca1ab1e"
    }
    $ git commit
    $ pocket_protector add-domain
    Adding new domain.
    User email: [email protected]
    Passphrase:
    Domain name: dev
    Our first domain
    Adding our first domain, with our first owner.

    View Slide

  13. Pocket Protector $ pip install pocket_protector
    ...
    $ pocket_protector init
    Adding new key custodian.
    User email: [email protected]
    Passphrase:
    Retype passphrase:
    $ pocket_protector add-domain
    Adding new domain.
    User email: [email protected]
    Passphrase:
    Domain name: dev
    $ pocket_protector add-secret
    Adding secret value.
    Domain name: dev
    Secret name: api_key
    Secret value: 5ca1ab1e
    $ pocket_protector decrypt-domain dev
    User email: [email protected]
    Passphrase:
    {
    "api_key": "5ca1ab1e"
    }
    $ git commit
    $ pocket_protector add-secret
    Adding secret value.
    Domain name: dev
    Secret name: api_key
    Secret value: 5ca1ab1e
    Protecting our first secret
    With our domain and owner sorted, we can add secrets.

    View Slide

  14. Pocket Protector $ pip install pocket_protector
    ...
    $ pocket_protector init
    Adding new key custodian.
    User email: [email protected]
    Passphrase:
    Retype passphrase:
    $ pocket_protector add-domain
    Adding new domain.
    User email: [email protected]
    Passphrase:
    Domain name: dev
    $ pocket_protector add-secret
    Adding secret value.
    Domain name: dev
    Secret name: api_key
    Secret value: 5ca1ab1e
    $ pocket_protector decrypt-domain dev
    User email: [email protected]
    Passphrase:
    {
    "api_key": "5ca1ab1e"
    }
    $ git commit
    Reading our first secret
    Let’s make sure things went through as expected.
    $ pocket_protector decrypt-domain dev
    User email: [email protected]
    Passphrase:
    {
    "api_key": "5ca1ab1e"
    }
    Note that credentials can come from:
    ● stdin / interactive user input (Local dev)
    ● Environment variable (Heroku/GitLab CI)
    ● File (Docker Secrets)

    View Slide

  15. git commit protected.yaml
    git push
    (And you’re done)

    View Slide

  16. Pocket Protector
    dev:
    secret-api_key:
    AJHJN0fOwCcbVB9hpCVjSTW81TnYPk95vSMmK5KiwScJMf1gq/fEvdzs5bVUQL5DA
    8KsRAuvwewk
    meta:
    public-key: ABQsYxR+o2a2Noey6hQG2Deo6dqpcn6h2Z7rvkx8GT9/
    owners:
    [email protected]:
    ALRVwUrrNL/Xd8QLHGUO8Xa1SR6EJ0nxUvW/T5eHwiYADPEjhfzEPFGZrx6e/v9jY
    byXDcdeonlpS4RpONbeZaLkkkP0Xts5a+94sAIDgbOf
    key-custodians:
    [email protected]:
    pwdkm:
    ALfkn8XPdkO7l/hUQdhKzvRPh7/z9XNFdjpQU4ZwebfyfHBeaMnZelQ=
    audit-log:
    - created key custodian [email protected]
    - created domain dev with owner [email protected]
    - added secret api_key in dev
    $ cat protected.yaml
    Internal file structure: YAML
    ● Compact
    ● Readable
    ● git blame-able
    Under the hood
    Let’s take a look inside the protected

    View Slide

  17. Pocket Protector $ pprotect --help
    usage: pprotect [COMMANDS]
    Commands:
    add-domain add a new domain to the protected
    add-key-custodian add a new key custodian to the protected
    add-owner add a key custodian as owner of a domain
    add-secret add a secret to a specified domain
    decrypt-domain decrypt and display JSON-formatted cleartext for a
    domain
    init create a new pocket-protected file
    list-all-secrets display all secrets, with a list of domains the key is
    present in
    list-audit-log display a chronological list of audit log entries
    representing file activity
    list-domain-secrets display a list of secrets under a specific domain
    list-domains display a list of available domains
    list-user-secrets similar to list-all-secrets, but filtered by a given
    user
    rm-domain remove a domain from the protected
    rm-owner remove an owner's privileges on a specified domain
    rm-secret remove a secret from a specified domain
    rotate-domain-keys rotate the internal keys for a particular domain (must
    be owner)
    set-key-custodian-passphrase
    change a key custodian passphrase
    update-secret update an existing secret in a specified domain
    Options:
    -h, --help show this help message and exit
    $ pprotect --help
    Lots more subcommands for people-centric secret
    management .
    Beyond the deck
    Functionality galore!

    View Slide

  18. Pocket Protector
    Today:
    ● Way better than the alternatives
    ● Currently in multi-app, multi-environment use at SimpleLegal
    ● Available on PyPI and GitHub
    Planned features:
    ● Quorum-based recovery features (Shamir)
    ● Support for more types of secrets!
    ● Fancy new CLI using Face
    Try it out!
    Next steps

    View Slide

  19. Links:
    ● github.com/SimpleLegal/pocket_protector
    ● github.com/mahmoud/face
    ● en.wikipedia.org/wiki/Shamir's_Secret_Sharing
    [email protected]
    ● sedimental.org/talks.html
    Thanks!
    Questions?

    View Slide

  20. View Slide

  21. Progress - Topic area 1
    Accomplishment 1
    ● Lorem ipsum dolor sit amet,
    consectetur adipiscing elit
    ● Sed do eiusmod tempor incididunt ut
    labore et dolore magna aliqua.
    Accomplishment 2
    ● Ut enim ad minim veniam, quis
    nostrud exercitation ullamco laboris
    nisi ut aliquip ex ea commodo
    consequat.
    (Secrets tell you which one is real)

    View Slide

  22. Progress - Topic area 1
    Accomplishment 1
    ● Lorem ipsum dolor sit amet,
    consectetur adipiscing elit
    ● Sed do eiusmod tempor incididunt ut
    labore et dolore magna aliqua.
    Accomplishment 2
    ● Ut enim ad minim veniam, quis
    nostrud exercitation ullamco laboris
    nisi ut aliquip ex ea commodo
    consequat.
    So you get
    real
    Data

    View Slide