Motivation Motivation Wanted to use Rust somewhere! Was looking for a project: Heard about this tool when J created a ticket for one of our clients Summary of the talk: What and How of Credstash
Credstash Credstash History AWS launches KMS on 2014 Fugue launches credstash tool on 2015 Credential management and distribution system Depends on AWS infrastructure Alternatives Vault sneaker - Secrets are managed via S3 buckets cryptic
Put Algorithm Put Algorithm Generate 64 bytes Data key. Split the key into half. Encrypt credential using AES algorithm (CTR mode) Compute HMAC of the encrypted text. Store them in the dynamo table $ credstash put dbpassword difficult_password
Get Algorithm Get Algorithm Fetch the corresponding row from DynamoDB. Decrypt the encrypted data key using KMS. Split the key into half. Verify the HMAC of the encrypted text. Decrypt the credential using first half of the key. $ credstash get dbpassword
Comparision with Haskell Comparision with Haskell rusoto / amazonka Build times Much well maintained Async code issues Crypto library Documentation of libraries
Future work Future work Implement putall subcommand Provide cli subcommand to create CMK Improve error message when it fails Embrace Rust’s async/await model Musl based binaries