Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Rust + Credstash

Sibi
January 08, 2020

Rust + Credstash

Sibi

January 08, 2020
Tweet

More Decks by Sibi

Other Decks in Programming

Transcript

  1. (Ru)credstash
    (Ru)credstash
    Sibi Prabakaran
    Jan 8, 2020

    View Slide

  2. Motivation
    Motivation
    Wanted to use Rust somewhere!
    Was looking for a project: Heard about this tool when J created a ticket for one of
    our clients
    Summary of the talk: What and How of Credstash

    View Slide

  3. Credstash
    Credstash
    History
    AWS launches KMS on 2014
    Fugue launches credstash tool on 2015
    Credential management and distribution system
    Depends on AWS infrastructure
    Alternatives
    Vault
    sneaker - Secrets are managed via S3 buckets
    cryptic

    View Slide

  4. Pricing
    Pricing
    Depends primarily on the number of keys you have.

    View Slide

  5. Usage examples
    Usage examples
    Authenticate with AWS
    Via AWS Keys
    AWS Profiles
    rucredstash –profile sibi-admin
    MFA
    rucredstash –mfa_serial mfa_arn_id

    View Slide

  6. Usage examples
    Usage examples
    Setup DynamoDB table.
    Put secret
    Get secret
    Delete secret
    $ rucredstash setup
    $ rucredstash put "dbpassword" "difficult_password"
    $ rucredstash get "dbpassword"
    $ rucredstash delete "dbpassword"

    View Slide

  7. More examples
    More examples
    $ rucredstash getall
    {
    "dbpassword":"difficult_pasword"
    }
    $ rucredstash list
    dbpassword -- version 000000000000001 --comment
    $ rucredstash keys
    dbpassword

    View Slide

  8. KMS Concepts
    KMS Concepts
    CMK
    Data Key

    View Slide

  9. Put Algorithm
    Put Algorithm
    Generate 64 bytes Data key.
    Split the key into half.
    Encrypt credential using AES algorithm (CTR mode)
    Compute HMAC of the encrypted text.
    Store them in the dynamo table
    $ credstash put dbpassword difficult_password

    View Slide

  10. Get Algorithm
    Get Algorithm
    Fetch the corresponding row from DynamoDB.
    Decrypt the encrypted data key using KMS.
    Split the key into half.
    Verify the HMAC of the encrypted text.
    Decrypt the credential using first half of the key.
    $ credstash get dbpassword

    View Slide

  11. Comparision with credstash
    Comparision with credstash
    Doesn’t implement putall subcommand (yet)
    Doesn’t support following digest methods: MD5, SHA224
    Supports MFA authentication!

    View Slide

  12. Comparision with Haskell
    Comparision with Haskell
    rusoto / amazonka
    Build times
    Much well maintained
    Async code issues
    Crypto library
    Documentation of libraries

    View Slide

  13. Future work
    Future work
    Implement putall subcommand
    Provide cli subcommand to create CMK
    Improve error message when it fails
    Embrace Rust’s async/await model
    Musl based binaries

    View Slide

  14. Questions
    Questions

    View Slide