Rust + Credstash

(Ru)credstash (Ru)credstash Sibi Prabakaran Jan 8, 2020

Motivation Motivation Wanted to use Rust somewhere! Was looking for
a project: Heard about this tool when J created a ticket for one of our clients Summary of the talk: What and How of Credstash

Credstash Credstash History AWS launches KMS on 2014 Fugue launches
credstash tool on 2015 Credential management and distribution system Depends on AWS infrastructure Alternatives Vault sneaker - Secrets are managed via S3 buckets cryptic

Pricing Pricing Depends primarily on the number of keys you
have.

Usage examples Usage examples Authenticate with AWS Via AWS Keys
AWS Profiles rucredstash –profile sibi-admin MFA rucredstash –mfa_serial mfa_arn_id

Usage examples Usage examples Setup DynamoDB table. Put secret Get
secret Delete secret $ rucredstash setup $ rucredstash put "dbpassword" "difficult_password" $ rucredstash get "dbpassword" $ rucredstash delete "dbpassword"

More examples More examples $ rucredstash getall { "dbpassword":"difficult_pasword" }
$ rucredstash list dbpassword -- version 000000000000001 --comment $ rucredstash keys dbpassword

KMS Concepts KMS Concepts CMK Data Key

Put Algorithm Put Algorithm Generate 64 bytes Data key. Split
the key into half. Encrypt credential using AES algorithm (CTR mode) Compute HMAC of the encrypted text. Store them in the dynamo table $ credstash put dbpassword difficult_password

Get Algorithm Get Algorithm Fetch the corresponding row from DynamoDB.
Decrypt the encrypted data key using KMS. Split the key into half. Verify the HMAC of the encrypted text. Decrypt the credential using first half of the key. $ credstash get dbpassword

Comparision with credstash Comparision with credstash Doesn’t implement putall subcommand
(yet) Doesn’t support following digest methods: MD5, SHA224 Supports MFA authentication!

Comparision with Haskell Comparision with Haskell rusoto / amazonka Build
times Much well maintained Async code issues Crypto library Documentation of libraries

Future work Future work Implement putall subcommand Provide cli subcommand
to create CMK Improve error message when it fails Embrace Rust’s async/await model Musl based binaries

Questions Questions

Rust + Credstash

Rust + Credstash

Sibi

More Decks by Sibi

Other Decks in Programming

Featured

Transcript

(Ru)credstash (Ru)credstash Sibi Prabakaran Jan 8, 2020

Motivation Motivation Wanted to use Rust somewhere! Was looking for

Credstash Credstash History AWS launches KMS on 2014 Fugue launches

Pricing Pricing Depends primarily on the number of keys you

Usage examples Usage examples Authenticate with AWS Via AWS Keys

Usage examples Usage examples Setup DynamoDB table. Put secret Get

More examples More examples $ rucredstash getall { "dbpassword":"difficult_pasword" }

KMS Concepts KMS Concepts CMK Data Key

Put Algorithm Put Algorithm Generate 64 bytes Data key. Split

Get Algorithm Get Algorithm Fetch the corresponding row from DynamoDB.

Comparision with credstash Comparision with credstash Doesn’t implement putall subcommand

Comparision with Haskell Comparision with Haskell rusoto / amazonka Build

Future work Future work Implement putall subcommand Provide cli subcommand

Questions Questions