Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Rust + Credstash

A513bc1fa519d2fcf5e4e0d9b5500101?s=47 Sibi
January 08, 2020

Rust + Credstash

A513bc1fa519d2fcf5e4e0d9b5500101?s=128

Sibi

January 08, 2020
Tweet

Transcript

  1. (Ru)credstash (Ru)credstash Sibi Prabakaran Jan 8, 2020

  2. Motivation Motivation Wanted to use Rust somewhere! Was looking for

    a project: Heard about this tool when J created a ticket for one of our clients Summary of the talk: What and How of Credstash
  3. Credstash Credstash History AWS launches KMS on 2014 Fugue launches

    credstash tool on 2015 Credential management and distribution system Depends on AWS infrastructure Alternatives Vault sneaker - Secrets are managed via S3 buckets cryptic
  4. Pricing Pricing Depends primarily on the number of keys you

    have.
  5. Usage examples Usage examples Authenticate with AWS Via AWS Keys

    AWS Profiles rucredstash –profile sibi-admin MFA rucredstash –mfa_serial mfa_arn_id
  6. Usage examples Usage examples Setup DynamoDB table. Put secret Get

    secret Delete secret $ rucredstash setup $ rucredstash put "dbpassword" "difficult_password" $ rucredstash get "dbpassword" $ rucredstash delete "dbpassword"
  7. More examples More examples $ rucredstash getall { "dbpassword":"difficult_pasword" }

    $ rucredstash list dbpassword -- version 000000000000001 --comment $ rucredstash keys dbpassword
  8. KMS Concepts KMS Concepts CMK Data Key

  9. Put Algorithm Put Algorithm Generate 64 bytes Data key. Split

    the key into half. Encrypt credential using AES algorithm (CTR mode) Compute HMAC of the encrypted text. Store them in the dynamo table $ credstash put dbpassword difficult_password
  10. Get Algorithm Get Algorithm Fetch the corresponding row from DynamoDB.

    Decrypt the encrypted data key using KMS. Split the key into half. Verify the HMAC of the encrypted text. Decrypt the credential using first half of the key. $ credstash get dbpassword
  11. Comparision with credstash Comparision with credstash Doesn’t implement putall subcommand

    (yet) Doesn’t support following digest methods: MD5, SHA224 Supports MFA authentication!
  12. Comparision with Haskell Comparision with Haskell rusoto / amazonka Build

    times Much well maintained Async code issues Crypto library Documentation of libraries
  13. Future work Future work Implement putall subcommand Provide cli subcommand

    to create CMK Improve error message when it fails Embrace Rust’s async/await model Musl based binaries
  14. Questions Questions