3 Things That Make Encryption Easier

综合技术 2016-06-14

Almost everyone (especially in ops) knows they should be better about encrypting secret data. And yet most organizations have at least a few passwords and secret keys checked into Git somewhere.

The ideal solution would be for everyone at your company to use PGP all the time, but that is a huge pain
. Encryption tools are annoying to use, and a significant time investment is required to learn to use them correctly. And if security is hard, people will always find a way to avoid it.

In the last few months, I’ve adopted 3 new technologies that make secure storage and exchange of secret information at least bearable.

1: Blackbox

StackExchange’s

blackbox


tool makes it easy to store encrypted data in a Git repository. First you need to import into your personal keyring all the PGP keys you want to grant access to. Then you initialize the blackbox directory structure:

Once you’ve initialized blackbox, you can start adding administrators, which are keys that will be granted access to the secret data in the repository:

Now you can start adding secrets securely:

I really like how this tool gives my team a distributed, version-controlled repository of secret information. We can even give other teams access to the repository without worrying about exposing secrets!

My team uses this tool for shared passwords and SSL private keys, and it works great.

Check it out


.

2: Salt

At my company, we use Salt
for config management. Like most config management systems, Salt lets you decouple the values in a config file from the file itself. You make a template of the config file that will appear on the node, and you put the values in a pillar
(equivalent to a Chef databag, or a Puppet… whatever it’s called in Puppet).

So instead of storing a config file like this:

You store a template like this:

and a pillar (which is just a YAML file) like this:

Now suppose you don’t want to commit that super-secure password directly to your Salt repository. Instead, you can create a PGP keypair, and give the private key to your Salt server. Then you can encrypt the password with that key. Your pillar will now look like this:

When processing your template on the target node, Salt will seamlessly decrypt the password for you.

I love that I can give non-admins access to our Salt repo, and let them submit pull requests, without worrying about leaking passwords. To learn more about this Salt functionality, you can read the documentation for

salt.renderers.gpg


.

3: SecretShare

Salt’s GPG renderer and blackbox are great ways to store shared secret data, but what about transmitting secrets to particular people? In most organizations, when passwords and such need to be transmitted from employee to employee, insecure methods are used. Email, chat, and Google docs are very common media for transmitting secrets. They’re all saved indefinitely, meaning that an attacker who gains access to your account can gain access to all the secret info you’ve ever sent or received.

To make transmitting secrets as easy and secure as possible, my teammate Alex created

secretshare


. It lets you transmit arbitrary secret data to others in your organization, and it has immense advantages over other systems:

  • Secrets are never transmitted or stored in the clear, so a snooper can’t even read them if they manage to compromise the Amazon S3 bucket in which they’re stored.
  • Secrets are deleted from S3 after 24-48 hours, so a snooper can’t go back through the recipient’s or sender’s communication history later and retrieve them.
  • Secrets are encrypted with a one-time-use key, so a snooper can’t use the key from one secret to steal another.
  • Users don’t need Amazon AWS credentials, so a snooper can’t steal those credentials from a user.

Right now, secretshare only exists as a command-line utility, but we’re very close to having a web UI as well, which will make it even easier for non-technical people to use.

Security’s worst enemy is bad UX. It’s critical to make the most secure path also the easiest path. That’s what these three solutions aim to do, and they’ve made me feel much more comfortable with the security of secret data at my company. I hope they can do the same for you.

责编内容by:Dan Slimmon (源链)。感谢您的支持!

您可能感兴趣的

Make certificate visibility and security a part of... In this podcast recorded atRSA Conference 2018, Asif Karel, Director of Product Management ...
中国云安全联盟筹备会在京顺利召开 2017年9月11日,中国云安全与新兴技术安全创新联盟(简称“中国云安全联盟”)筹备会在北京国家会议中心顺利召开。中国网络空间安全协会理事长方滨兴院士、中国产学研合作促进会执行副会长兼秘书长王建华、国...
BUF早餐铺 | AWS S3 配置错误导致美军秘密监控资料泄露;Amazon Key存在安全问题,... 今天是11月21日星期二,今天早餐铺的主要内容有:AWS S3 配置错误导致美军秘密监控资料泄露,社交媒体相关内容高达 TB 级;Amazon Key存在安全问题,可被攻击者关闭用户摄像头;大量安卓手...
Cybersecurity’s Next Frontier: 80+ Companies Using... Cybersecurity companies saw a record number of fundingdealslast year and on a quarterly basis Q1...
ISC 2017担当论坛李炜:网络安全应处于补课状态... 9月12日,第五届中国互联网安全大会(ISC 2017)在北京国家会议中心召开,本次大会主题为“万物皆变,人是安全的尺度”。在下午举行的中国网络安全产业担当与发展高峰论坛上,启明星辰、360、卫士通、...