Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Managing Secrets IN AWS

Ebf974e0dbcfe88c508df6f395661a4b?s=47 Mark Wolfe
February 24, 2016

Managing Secrets IN AWS

Talk I gave at the AWS Users Group Meetup in Melbourne, Australia on 24th of Feb 2016


Mark Wolfe

February 24, 2016



  2. WHO IS THIS GUY? • Mark Wolfe • Devops at

    Versent (we are always Hiring) • I still code.
  3. WHY? • Everything we build has secrets • Passwords and

    API keys for a plethora of services we consume • We don’t want to put these secrets in our code!? • We want to control and audit access to our secrets
  4. KMS? • What is KMS? • Hardware Security Modules (HSMs)

    • Access control using IAM • Auditing provided by Cloudtrail
  5. KMS? • Encrypt, decrypt, and re-encrypt data • Generate data

    keys that can be exported from the service • Generate random numbers
  6. DATA KEYS • Generate a Key • Returns the Key

    Encrypted and Decrypted • Use the Key to encrypt • Append the Encrypted Key and Encrypted data together and store
  7. DATA KEYS CONT. • Decrypt • Read in the file

    and split into the Encrypted Key and Encrypted Data • Pass the Encrypted Key blog to KMS and get back the Decrypted Key • Use the Decrypted Key to Decrypt the data
  8. ENCRYPTION 101 • Don’t trust input data EVER • If

    your using AES ensure you also have a HMAC signature for the encrypted data • Validate the signature prior to decrypting the data • Or use secret box by Dan Bernstein (DJB)
  9. CREDSTASH • Uses KMS + DynamoDB to securely store credentials

    IN AWS • KMS is controlled by IAM, so therefore so is Credstash • Versent maintains a fork of credstash which is called unicreds!
  10. UNICREDS • Written in golang • Single static binary •

    Works on Windows, Linux and OSX • Adds a few additional features, more in the works
  11. CODE

  12. OTHER PROJECTS • credstash, the original in Python, well worth

    reviewing! • coffer, stores bundles of encrypted files in S3 also using KMS for key management • aws-vault, securely store and access credentials for AWS
  13. TAKEAWAYS • Keep secrets IN your AWS account using tools

    such as credstash, unicreds and coffer! • KMS is a great service, if your interested download the SDK and give it a try • Try these tools and out discuss whats good/bad/ ugly for you!
  14. QUESTIONS • Fire away. • @wolfeidau on Twitter • wolfeidau

    on Github • Website www.wolfe.id.au