(Ru)credstash
(Ru)credstash
Sibi Prabakaran
Jan 8, 2020
Slide 2
Slide 2 text
Motivation
Motivation
Wanted to use Rust somewhere!
Was looking for a project: Heard about this tool when J created a ticket for one of
our clients
Summary of the talk: What and How of Credstash
Slide 3
Slide 3 text
Credstash
Credstash
History
AWS launches KMS on 2014
Fugue launches credstash tool on 2015
Credential management and distribution system
Depends on AWS infrastructure
Alternatives
Vault
sneaker - Secrets are managed via S3 buckets
cryptic
Slide 4
Slide 4 text
Pricing
Pricing
Depends primarily on the number of keys you have.
Slide 5
Slide 5 text
Usage examples
Usage examples
Authenticate with AWS
Via AWS Keys
AWS Profiles
rucredstash –profile sibi-admin
MFA
rucredstash –mfa_serial mfa_arn_id
Slide 6
Slide 6 text
Usage examples
Usage examples
Setup DynamoDB table.
Put secret
Get secret
Delete secret
$ rucredstash setup
$ rucredstash put "dbpassword" "difficult_password"
$ rucredstash get "dbpassword"
$ rucredstash delete "dbpassword"
Slide 7
Slide 7 text
More examples
More examples
$ rucredstash getall
{
"dbpassword":"difficult_pasword"
}
$ rucredstash list
dbpassword -- version 000000000000001 --comment
$ rucredstash keys
dbpassword
Slide 8
Slide 8 text
KMS Concepts
KMS Concepts
CMK
Data Key
Slide 9
Slide 9 text
Put Algorithm
Put Algorithm
Generate 64 bytes Data key.
Split the key into half.
Encrypt credential using AES algorithm (CTR mode)
Compute HMAC of the encrypted text.
Store them in the dynamo table
$ credstash put dbpassword difficult_password
Slide 10
Slide 10 text
Get Algorithm
Get Algorithm
Fetch the corresponding row from DynamoDB.
Decrypt the encrypted data key using KMS.
Split the key into half.
Verify the HMAC of the encrypted text.
Decrypt the credential using first half of the key.
$ credstash get dbpassword
Slide 11
Slide 11 text
Comparision with credstash
Comparision with credstash
Doesn’t implement putall subcommand (yet)
Doesn’t support following digest methods: MD5, SHA224
Supports MFA authentication!
Slide 12
Slide 12 text
Comparision with Haskell
Comparision with Haskell
rusoto / amazonka
Build times
Much well maintained
Async code issues
Crypto library
Documentation of libraries
Slide 13
Slide 13 text
Future work
Future work
Implement putall subcommand
Provide cli subcommand to create CMK
Improve error message when it fails
Embrace Rust’s async/await model
Musl based binaries