End-to-End Crypto: Secrets
As part of an ongoing series, we’re highlighting the benefits and advantages of various end-to-end encryption tools for messaging, file storage, and secret management.
Long-lived data isn’t the only thing that benefits from end-to-end encryption. Sometimes simple, short strings need the same level of protection. This is exactly the case with secrets. The idea is that you encrypt a piece of data on one computer, and it stays securely protected until it’s needed on another.
When dealing with secrets, the “point A” is the creator of an account. The “point B” is another entity that needs to use the secret -- this could be a coworker with a shared login or a sever with specific access to a protected resource. These secrets should still be encrypted at rest so any unauthorized parties who gain access cannot use them. Accessing and decrypting this data should be easy for authorized parties.
Let’s review some options for both peer-to-peer secret sharing and secure ways to share secrets with development environments.
Two of the flagship personal secrets managers on the market today are LastPass and 1Password. Both applications operate under a similar principal: all of your site and application specific passwords are stored encrypted by a single, master password. This is a huge win for consumer grade security, as users won’t have to remember different password for the 90 different accounts they use.
It’s also a win in an enterprise environment; both applications present simple models for sharing passwords between individuals and environments. You store a secret in the system, then provide access to that secret to the rest of your team. No one holds on to the plain text; they all get an encrypted copy of the secret. You also have the ability to audit secrets at any time.
Neither LastPass or 1Password have access to your secrets at any time. Software encrypts everything on the client side, using credentials under your control. At the very worst, the vendors can leak encrypted copies of your data
An alternative pattern for sharing secrets across your team is the free One-Time Secret application.
Whereas LastPass and 1Password allow for the long-term sharing and coordination of secrets, One-Time Secret allows for the limited (one-time) sharing of any text data. If you need to send a single credential, securely, from point A to B you could do so using One-Time Secret. The hosted server doesn’t store any data permanently. The data also automatically deletes itself once it’s been accessed. You can also proactively encrypt the data with an independent passphrase.
Plus, One-Time Secret is open source, so you can easily host it on your own infrastructure.
Not every secret you use is a password; some secrets are privileged credentials for programmatic resource access. These secrets might be the API keys for access hosting resources (AWS) or billing services (Stripe). Accidentally leaking these secrets can have hugely detrimental effects on your business.
Unfortunately, password managers are meant to share secrets between individuals. You can’t use a traditional password manager to share secrets between computers or handle secrets used in code.
Luckily, tools like GitCrypt enable transparent encryption and decryption of secrets in a source repository. GitCrypt is a developer tool that will filter files that contain secrets, automatically encrypting the data before writing it to the repository. Assuming proper permissions, GitCrypt automatically decrypts data as needed. GitCrypt is also open source and available for free.
AmazonKey Management Service (KMS) is one of the amazing tools in Amazon’s hosted cloud. You can use KMS to encrypt arbitrary data (a secret or otherwise) with a key hosted on Amazon’s servers. You can later use the same key (again, through Amazon) to decrypt that data when its needed.
Access to keys is controlled using Amazon’s own Identity and Access Management (IAM) service, giving you reliable control over who has permission to do what with the protected data. Amazon tracks the use of your keys, creating a solid audit trail for data access and secret management.
As useful as Amazon’s KMS utility can be, it’s still a developer utility. This means it’s a solid base for other applications, but not very useful in isolation for managing secrets. Instead, tools like Credstash allow for more user-friendly access to low-level utilities like KMS.
Credstash is a command-line tool that allows for the creation of secure secrets, encrypted with KMS-hosted keys, stored in the cloud. Credstash makes it easy for a development team to securely share passwords with one another or with a server environment. The tool encrypts all data before it’s stored and only decrypts it when needed.
Is it enough?
The principle behind end-to-end encryption is straight-forward: data is stored (or sent) encrypted and can only ever be decrypted when it’s reached its destination. Messages and emails are only decrypted when received. Files are only decrypted when accessed by an authorized party. Passwords are only decrypted when they need to be use to authenticate.
All of the utilities detailed above help ensure data stays safe and secure at all times. Together these pieces add up to a solid approach to protecting your data, even if no one utility is the best solo solution.
Next month, we’ll go into even further detail on some of the utilities above in a deep dive on secrets management for development.