Pocket Protector: Secrets as Code

Transcript

1. Pocket Protector: Secrets as Code Mahmoud Hashemi • SimpleLegal March

   2018

2. Secrets?

3. They come with the job. • Terrible at parties! •

   Super useful otherwise. • Shared thousands of times a day! • Changing all the time! Let’s make them work! We’ve all got one. • Great for parties! • Fun way to burden a friend! • Share it once, regret it always! • We all know what you did last summer. Try to forget! Family Secrets Dev Secrets

4. Devs Need Secrets Database passwords API keys & tokens SSL

   certificate passphrases And more!

5. Secret mismanagement Approach 1: Put them in the code The

   easiest and earliest form of integration. Hope you trust your host! Approach 2: Put them in the config A settings.py or config.json is no more secure than your code. And now you’ve probably got two problems. Approach 3: Put them in the environment You’re going to get tired of entering them, lose them, or both.

6. Secret management Approach 1: Password managers LastPass, KeePass, etc. focus

   on the individual consumer and don’t work great for teams. Approach 2: Key management services Enterprise solutions like Vault and Hardware Security Modules (HSMs) don’t scale down. Approach 3: Encrypted source control git-crypt and friends scale down, but are cryptic to use and easy to misconfigure.

7. There’s gotta be a better way!

8. Pocket Protector • Secrets as Code™ • Safely and explicitly

   manage secrets, in-repo • State-of-the-art encryption ◦ Argon2 (CPU+memory-hard pwhash) ◦ curve25519 two-key ◦ NaCl Secret Box • Multi-user, multi-environment Pocket-sized secret management

9. Pocket Protector concepts Domains: Namespaces Enables organizing keys by app

   and environment. Key custodians: Registered users Pocket Protector leverages your repo’s write protections capabilities. Anyone can write to the file, but presumably only authorized users can push. Key custodians have passphrases that will allow them to read from the file. Owners: Registered users with read access to a domain Adding a key custodian to a domain grants them read access to the secrets in that domain.

10. Pocket Protector $ pip install pocket_protector ... $ pocket_protector init

    Adding new key custodian. User email: [email protected] Passphrase: Retype passphrase: $ pocket_protector add-domain Adding new domain. User email: [email protected] Passphrase: Domain name: dev $ pocket_protector add-secret Adding secret value. Domain name: dev Secret name: api_key Secret value: 5ca1ab1e $ pocket_protector decrypt-domain dev User email: [email protected] Passphrase: { "api_key": "5ca1ab1e" } $ git commit $ pip install pocket_protector ... Installation Doesn’t get much easier than:

11. Pocket Protector $ pip install pocket_protector ... $ pocket_protector init

    Adding new key custodian. User email: [email protected] Passphrase: Retype passphrase: $ pocket_protector add-domain Adding new domain. User email: [email protected] Passphrase: Domain name: dev $ pocket_protector add-secret Adding secret value. Domain name: dev Secret name: api_key Secret value: 5ca1ab1e $ pocket_protector decrypt-domain dev User email: [email protected] Passphrase: { "api_key": "5ca1ab1e" } $ git commit $ pocket_protector init Adding new key custodian. User email: [email protected] Passphrase: Retype passphrase: Initialization Creating our protected file, with our first key custodian.

12. Pocket Protector $ pip install pocket_protector ... $ pocket_protector init

    Adding new key custodian. User email: [email protected] Passphrase: Retype passphrase: $ pocket_protector add-domain Adding new domain. User email: [email protected] Passphrase: Domain name: dev $ pocket_protector add-secret Adding secret value. Domain name: dev Secret name: api_key Secret value: 5ca1ab1e $ pocket_protector decrypt-domain dev User email: [email protected] Passphrase: { "api_key": "5ca1ab1e" } $ git commit $ pocket_protector add-domain Adding new domain. User email: [email protected] Passphrase: Domain name: dev Our first domain Adding our first domain, with our first owner.

13. Pocket Protector $ pip install pocket_protector ... $ pocket_protector init

    Adding new key custodian. User email: [email protected] Passphrase: Retype passphrase: $ pocket_protector add-domain Adding new domain. User email: [email protected] Passphrase: Domain name: dev $ pocket_protector add-secret Adding secret value. Domain name: dev Secret name: api_key Secret value: 5ca1ab1e $ pocket_protector decrypt-domain dev User email: [email protected] Passphrase: { "api_key": "5ca1ab1e" } $ git commit $ pocket_protector add-secret Adding secret value. Domain name: dev Secret name: api_key Secret value: 5ca1ab1e Protecting our first secret With our domain and owner sorted, we can add secrets.

14. Pocket Protector $ pip install pocket_protector ... $ pocket_protector init

    Adding new key custodian. User email: [email protected] Passphrase: Retype passphrase: $ pocket_protector add-domain Adding new domain. User email: [email protected] Passphrase: Domain name: dev $ pocket_protector add-secret Adding secret value. Domain name: dev Secret name: api_key Secret value: 5ca1ab1e $ pocket_protector decrypt-domain dev User email: [email protected] Passphrase: { "api_key": "5ca1ab1e" } $ git commit Reading our first secret Let’s make sure things went through as expected. $ pocket_protector decrypt-domain dev User email: [email protected] Passphrase: { "api_key": "5ca1ab1e" } Note that credentials can come from: • stdin / interactive user input (Local dev) • Environment variable (Heroku/GitLab CI) • File (Docker Secrets)

15. git commit protected.yaml git push (And you’re done)

16. Pocket Protector dev: secret-api_key: AJHJN0fOwCcbVB9hpCVjSTW81TnYPk95vSMmK5KiwScJMf1gq/fEvdzs5bVUQL5DA 8KsRAuvwewk meta: public-key: ABQsYxR+o2a2Noey6hQG2Deo6dqpcn6h2Z7rvkx8GT9/ owners:

    [email protected]: ALRVwUrrNL/Xd8QLHGUO8Xa1SR6EJ0nxUvW/T5eHwiYADPEjhfzEPFGZrx6e/v9jY byXDcdeonlpS4RpONbeZaLkkkP0Xts5a+94sAIDgbOf key-custodians: [email protected]: pwdkm: ALfkn8XPdkO7l/hUQdhKzvRPh7/z9XNFdjpQU4ZwebfyfHBeaMnZelQ= audit-log: - created key custodian [email protected] - created domain dev with owner [email protected] - added secret api_key in dev $ cat protected.yaml Internal file structure: YAML • Compact • Readable • git blame-able Under the hood Let’s take a look inside the protected

17. Pocket Protector $ pprotect --help usage: pprotect [COMMANDS] Commands: add-domain

    add a new domain to the protected add-key-custodian add a new key custodian to the protected add-owner add a key custodian as owner of a domain add-secret add a secret to a specified domain decrypt-domain decrypt and display JSON-formatted cleartext for a domain init create a new pocket-protected file list-all-secrets display all secrets, with a list of domains the key is present in list-audit-log display a chronological list of audit log entries representing file activity list-domain-secrets display a list of secrets under a specific domain list-domains display a list of available domains list-user-secrets similar to list-all-secrets, but filtered by a given user rm-domain remove a domain from the protected rm-owner remove an owner's privileges on a specified domain rm-secret remove a secret from a specified domain rotate-domain-keys rotate the internal keys for a particular domain (must be owner) set-key-custodian-passphrase change a key custodian passphrase update-secret update an existing secret in a specified domain Options: -h, --help show this help message and exit $ pprotect --help Lots more subcommands for people-centric secret management . Beyond the deck Functionality galore!

18. Pocket Protector Today: • Way better than the alternatives •

    Currently in multi-app, multi-environment use at SimpleLegal • Available on PyPI and GitHub Planned features: • Quorum-based recovery features (Shamir) • Support for more types of secrets! • Fancy new CLI using Face Try it out! Next steps

19. Links: • github.com/SimpleLegal/pocket_protector • github.com/mahmoud/face • en.wikipedia.org/wiki/Shamir's_Secret_Sharing • [email protected] •

    sedimental.org/talks.html Thanks! Questions?
20. None

21. Progress - Topic area 1 Accomplishment 1 • Lorem ipsum

    dolor sit amet, consectetur adipiscing elit • Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Accomplishment 2 • Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. (Secrets tell you which one is real)

22. Progress - Topic area 1 Accomplishment 1 • Lorem ipsum

    dolor sit amet, consectetur adipiscing elit • Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Accomplishment 2 • Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. So you get real Data