Secrets Management

Encrypt / Decrypt

  1. Generate an encryption key, call this the data key

  2. Use this data key to encrypt the data

  3. Encrypt the data key with a master key

  4. Discard the plaintext data key

  1. Fetch the wrapped data key and the encrypted data

  2. Use KMS to decrypt the wrapped data key

  3. Use the decrypted data key to decrypt the encrypted data

Enter Credstash

  1. Create a master key in KMS called credstash 
  2. credstash put super.secret 1234asdf
    1. generates a data key
    2. encrypts the data with the data key
    3. encrypts that data key with the KMS master key
    4. stores the credential in DynamoDB, along with the encrypted data key
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "kms:GenerateDataKey"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:kms:us-east-1:AWSACCOUNTID:key/KEY-GUID"
    },
    {
      "Action": [
        "dynamodb:PutItem"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:dynamodb:us-east-1:AWSACCOUNTID:table/credential-store"
    }
  ]
}

Saving and Updating Secrets

Secrets Mgmt w/ Credstash

By Tim O'Guin

Made with Slides.com

Secrets Mgmt w/ Credstash

  • 1,091

More from Tim O'Guin