Rust + Credstash - Speaker Deck

Slide 1

Slide 1 text

(Ru)credstash (Ru)credstash Sibi Prabakaran Jan 8, 2020

Slide 2

Slide 2 text

Motivation Motivation Wanted to use Rust somewhere! Was looking for a project: Heard about this tool when J created a ticket for one of our clients Summary of the talk: What and How of Credstash

Slide 3

Slide 3 text

Credstash Credstash History AWS launches KMS on 2014 Fugue launches credstash tool on 2015 Credential management and distribution system Depends on AWS infrastructure Alternatives Vault sneaker - Secrets are managed via S3 buckets cryptic

Slide 4

Slide 4 text

Pricing Pricing Depends primarily on the number of keys you have.

Slide 5

Slide 5 text

Usage examples Usage examples Authenticate with AWS Via AWS Keys AWS Profiles rucredstash –profile sibi-admin MFA rucredstash –mfa_serial mfa_arn_id

Slide 6

Slide 6 text

Usage examples Usage examples Setup DynamoDB table. Put secret Get secret Delete secret $ rucredstash setup $ rucredstash put "dbpassword" "difficult_password" $ rucredstash get "dbpassword" $ rucredstash delete "dbpassword"

Slide 7

Slide 7 text

More examples More examples $ rucredstash getall { "dbpassword":"difficult_pasword" } $ rucredstash list dbpassword -- version 000000000000001 --comment $ rucredstash keys dbpassword

Slide 8

Slide 8 text

KMS Concepts KMS Concepts CMK Data Key

Slide 9

Slide 9 text

Put Algorithm Put Algorithm Generate 64 bytes Data key. Split the key into half. Encrypt credential using AES algorithm (CTR mode) Compute HMAC of the encrypted text. Store them in the dynamo table $ credstash put dbpassword difficult_password

Slide 10

Slide 10 text

Get Algorithm Get Algorithm Fetch the corresponding row from DynamoDB. Decrypt the encrypted data key using KMS. Split the key into half. Verify the HMAC of the encrypted text. Decrypt the credential using first half of the key. $ credstash get dbpassword

Slide 11

Slide 11 text

Comparision with credstash Comparision with credstash Doesn’t implement putall subcommand (yet) Doesn’t support following digest methods: MD5, SHA224 Supports MFA authentication!

Slide 12

Slide 12 text

Comparision with Haskell Comparision with Haskell rusoto / amazonka Build times Much well maintained Async code issues Crypto library Documentation of libraries

Slide 13

Slide 13 text

Future work Future work Implement putall subcommand Provide cli subcommand to create CMK Improve error message when it fails Embrace Rust’s async/await model Musl based binaries

Slide 14

Slide 14 text

Questions Questions