Embed Size (px)
Citation preview
Join the conversation #devseccon
By Jakob Holderbaum / @hldrbm
Managing Shared Secrets using Basic Unix Tools
What are shared Secrets?
var PASSWORD = 'sn4k3oil'
var PASSWORD = yaml.load(fs.readFileSync('secrets.yml')).password
var PASSWORD = process.env.PASSWORD
syncable secure flexible
constant in code ++ − −
config file − + +
environment − + ++
GPG
“GNU Privacy Guard”
GPG
“GNU Privacy Guard”
pass
“the standard unix password manager”
pass
“the standard unix password manager”
brew install passsudo apt-get install passsudo pacman -S pass...
An example application
var express = require('express')var app = express()
var user = process.env.GITHUB_USERvar apiToken = process.env.GITHUB_API_TOKEN
var port = process.env.PORT || 5000
app.get('/', function (req, res) {// Implement GitHub API call
})
app.listen(port, function () {console.log('App listening on port ' + port)
})
var express = require('express')var app = express()
var user = process.env.GITHUB_USERvar apiToken = process.env.GITHUB_API_TOKEN
var port = process.env.PORT || 5000
app.get('/', function (req, res) {// Implement GitHub API call
})
app.listen(port, function () {console.log('App listening on port ' + port)
})
$ git push heroku master:master
$ heroku config:set GITHUB_USER="holderbaum" \GITHUB_API_TOKEN="sn4k3oil"
Let’s build a secret store!
$ export PASSWORD_STORE_DIR=~/code/app/secrets$ export MY_ID=5244D411CD7CBA95$ pass init $MY_ID
$ export PASSWORD_STORE_DIR=~/code/app/secrets$ export MY_ID=5244D411CD7CBA95$ pass init $MY_ID
$ export PASSWORD_STORE_DIR=~/code/app/secrets$ export MY_ID=5244D411CD7CBA95$ pass init $MY_ID
$ export PASSWORD_STORE_DIR=~/code/app/secrets$ pass add production/user$ pass add production/api_token
$ export PASSWORD_STORE_DIR=~/code/app/secrets$ pass show production/api_token"sn4k3oil"
$ find ~/code/app/secrets
~/code/app/secrets/.gpg_id~/code/app/secrets/production/user.gpg~/code/app/secrets/production/api_token.gpg
$ cat ~/code/app/secrets/.gpg_id5244D411CD7CBA95
$ find ~/code/app/secrets
~/code/app/secrets/.gpg_id~/code/app/secrets/production/user.gpg~/code/app/secrets/production/api_token.gpg
$ cat ~/code/app/secrets/.gpg_id5244D411CD7CBA95
$ export PASSWORD_STORE_DIR=~/code/app/secrets$ pass ls+-- production
|-- api_token+-- user
$ export PASSWORD_STORE_DIR=~/code/app/secrets$ export USER=`pass show production/user`$ export TOKEN=`pass show production/api_token`$ heroku config:set GITHUB_USER=$USER \
GITHUB_API_TOKEN=$TOKEN
$ export PASSWORD_STORE_DIR=~/code/app/secrets$ export USER=`pass show production/user`$ export TOKEN=`pass show production/api_token`$ heroku config:set GITHUB_USER=$USER \
GITHUB_API_TOKEN=$TOKEN
Working with a Team
Roll On
$ export PASSWORD_STORE_DIR=~/code/app/secrets$ export MY_ID=5244D411CD7CBA95$ export ADAS_ID=44A7B1E354AF81E2$ export ALANS_ID=BA29EE533AF39B21$ pass init $MY_ID $ADAS_ID $ALANS_ID
$ export PASSWORD_STORE_DIR=~/code/app/secrets$ export MY_ID=5244D411CD7CBA95$ export ADAS_ID=44A7B1E354AF81E2$ export ALANS_ID=BA29EE533AF39B21$ pass init $MY_ID $ADAS_ID $ALANS_ID
$ cat ~/code/app/secrets/.gpg_id5244D411CD7CBA9544A7B1E354AF81E2BA29EE533AF39B21
$ cat ~/code/app/secrets/.gpg_id5244D411CD7CBA9544A7B1E354AF81E2BA29EE533AF39B21
Roll Off
$ export PASSWORD_STORE_DIR=~/code/app/secrets$ export MY_ID=5244D411CD7CBA95$ export ADAS_ID=44A7B1E354AF81E2$ pass init $MY_ID $ADAS_ID
$ export PASSWORD_STORE_DIR=~/code/app/secrets$ export MY_ID=5244D411CD7CBA95$ export ADAS_ID=44A7B1E354AF81E2$ pass init $MY_ID $ADAS_ID
$ cat ~/code/app/secrets/.gpg_id5244D411CD7CBA9544A7B1E354AF81E2
$ cat ~/code/app/secrets/.gpg_id5244D411CD7CBA9544A7B1E354AF81E2
What have we achieved?
Join the conversation #devseccon
Find an online version of this talk:
https://jakob.io/devseccon16
