WHY? • Everything we build has secrets • Passwords and API keys for a plethora of services we consume • We don’t want to put these secrets in our code!? • We want to control and audit access to our secrets
DATA KEYS • Generate a Key • Returns the Key Encrypted and Decrypted • Use the Key to encrypt • Append the Encrypted Key and Encrypted data together and store
DATA KEYS CONT. • Decrypt • Read in the file and split into the Encrypted Key and Encrypted Data • Pass the Encrypted Key blog to KMS and get back the Decrypted Key • Use the Decrypted Key to Decrypt the data
ENCRYPTION 101 • Don’t trust input data EVER • If your using AES ensure you also have a HMAC signature for the encrypted data • Validate the signature prior to decrypting the data • Or use secret box by Dan Bernstein (DJB)
CREDSTASH • Uses KMS + DynamoDB to securely store credentials IN AWS • KMS is controlled by IAM, so therefore so is Credstash • Versent maintains a fork of credstash which is called unicreds!
OTHER PROJECTS • credstash, the original in Python, well worth reviewing! • coffer, stores bundles of encrypted files in S3 also using KMS for key management • aws-vault, securely store and access credentials for AWS
TAKEAWAYS • Keep secrets IN your AWS account using tools such as credstash, unicreds and coffer! • KMS is a great service, if your interested download the SDK and give it a try • Try these tools and out discuss whats good/bad/ ugly for you!