Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Managing Secrets IN AWS

Mark Wolfe
February 24, 2016

Managing Secrets IN AWS

Talk I gave at the AWS Users Group Meetup in Melbourne, Australia on 24th of Feb 2016

Mark Wolfe

February 24, 2016

More Decks by Mark Wolfe

Other Decks in Technology


  1. WHO IS THIS GUY? • Mark Wolfe • Devops at

    Versent (we are always Hiring) • I still code.
  2. WHY? • Everything we build has secrets • Passwords and

    API keys for a plethora of services we consume • We don’t want to put these secrets in our code!? • We want to control and audit access to our secrets
  3. KMS? • What is KMS? • Hardware Security Modules (HSMs)

    • Access control using IAM • Auditing provided by Cloudtrail
  4. KMS? • Encrypt, decrypt, and re-encrypt data • Generate data

    keys that can be exported from the service • Generate random numbers
  5. DATA KEYS • Generate a Key • Returns the Key

    Encrypted and Decrypted • Use the Key to encrypt • Append the Encrypted Key and Encrypted data together and store
  6. DATA KEYS CONT. • Decrypt • Read in the file

    and split into the Encrypted Key and Encrypted Data • Pass the Encrypted Key blog to KMS and get back the Decrypted Key • Use the Decrypted Key to Decrypt the data
  7. ENCRYPTION 101 • Don’t trust input data EVER • If

    your using AES ensure you also have a HMAC signature for the encrypted data • Validate the signature prior to decrypting the data • Or use secret box by Dan Bernstein (DJB)
  8. CREDSTASH • Uses KMS + DynamoDB to securely store credentials

    IN AWS • KMS is controlled by IAM, so therefore so is Credstash • Versent maintains a fork of credstash which is called unicreds!
  9. UNICREDS • Written in golang • Single static binary •

    Works on Windows, Linux and OSX • Adds a few additional features, more in the works
  10. OTHER PROJECTS • credstash, the original in Python, well worth

    reviewing! • coffer, stores bundles of encrypted files in S3 also using KMS for key management • aws-vault, securely store and access credentials for AWS
  11. TAKEAWAYS • Keep secrets IN your AWS account using tools

    such as credstash, unicreds and coffer! • KMS is a great service, if your interested download the SDK and give it a try • Try these tools and out discuss whats good/bad/ ugly for you!