Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Rust + Credstash

Sibi
January 08, 2020

Rust + Credstash

Sibi

January 08, 2020
Tweet

More Decks by Sibi

Other Decks in Programming

Transcript

  1. Motivation Motivation Wanted to use Rust somewhere! Was looking for

    a project: Heard about this tool when J created a ticket for one of our clients Summary of the talk: What and How of Credstash
  2. Credstash Credstash History AWS launches KMS on 2014 Fugue launches

    credstash tool on 2015 Credential management and distribution system Depends on AWS infrastructure Alternatives Vault sneaker - Secrets are managed via S3 buckets cryptic
  3. Usage examples Usage examples Authenticate with AWS Via AWS Keys

    AWS Profiles rucredstash –profile sibi-admin MFA rucredstash –mfa_serial mfa_arn_id
  4. Usage examples Usage examples Setup DynamoDB table. Put secret Get

    secret Delete secret $ rucredstash setup $ rucredstash put "dbpassword" "difficult_password" $ rucredstash get "dbpassword" $ rucredstash delete "dbpassword"
  5. More examples More examples $ rucredstash getall { "dbpassword":"difficult_pasword" }

    $ rucredstash list dbpassword -- version 000000000000001 --comment $ rucredstash keys dbpassword
  6. Put Algorithm Put Algorithm Generate 64 bytes Data key. Split

    the key into half. Encrypt credential using AES algorithm (CTR mode) Compute HMAC of the encrypted text. Store them in the dynamo table $ credstash put dbpassword difficult_password
  7. Get Algorithm Get Algorithm Fetch the corresponding row from DynamoDB.

    Decrypt the encrypted data key using KMS. Split the key into half. Verify the HMAC of the encrypted text. Decrypt the credential using first half of the key. $ credstash get dbpassword
  8. Comparision with credstash Comparision with credstash Doesn’t implement putall subcommand

    (yet) Doesn’t support following digest methods: MD5, SHA224 Supports MFA authentication!
  9. Comparision with Haskell Comparision with Haskell rusoto / amazonka Build

    times Much well maintained Async code issues Crypto library Documentation of libraries
  10. Future work Future work Implement putall subcommand Provide cli subcommand

    to create CMK Improve error message when it fails Embrace Rust’s async/await model Musl based binaries