Jakob Holderbaum - Managing Shared secrets using basic Unix tools

0 likes370 views

The document discusses managing shared secrets for applications using basic Unix tools like GPG and the pass password manager. It describes storing secrets in an encrypted password store that multiple developers can access. Secrets like API tokens are added to the store and environment variables are used to access them when running applications without embedding secrets directly in code. The process for initializing a shared password store and adding/removing developer access is also covered.

Presentations & Public Speaking

Join the conversation #devseccon
By Jakob Holderbaum / @hldrbm
Managing Shared
Secrets using Basic
Unix Tools

var PASSWORD = yaml
.load(fs.readFileSync('secrets.yml'))
.password

syncable secure ﬂexible
constant in code ++ − −
conﬁg ﬁle − + +
environment − + ++

pass
“the standard unix password manager”

brew install pass
sudo apt-get install pass
sudo pacman -S pass
...

$var express = require('express') var app = express() var user = process.env.GITHUB_USER var apiToken = process.env.GITHUB_API_TOKEN var port = process.env.PORT || 5000 app.get('/', function (req, res) { // Implement GitHub API call }) app.listen(port, function () { console.log('App listening on port ' + port) })$

$ heroku config:set GITHUB_USER="holderbaum"
GITHUB_API_TOKEN="sn4k3oil"

$ export PASSWORD_STORE_DIR=~/code/app/secrets
$ export MY_ID=5244D411CD7CBA95
$ pass init $MY_ID

$ export PASSWORD_STORE_DIR=~/code/app/secrets
$ pass add production/user
$ pass add production/api_token

$ export PASSWORD_STORE_DIR=~/code/app/secrets
$ pass show production/api_token
"sn4k3oil"

$ find ~/code/app/secrets
~/code/app/secrets/.gpg_id
~/code/app/secrets/production/user.gpg
~/code/app/secrets/production/api_token.gpg

$ find ~/code/app/secrets
~/code/app/secrets/.gpg_id
~/code/app/secrets/production/user.gpg
~/code/app/secrets/production/api_token.gpg
$ cat ~/code/app/secrets/.gpg_id
5244D411CD7CBA95

$ export PASSWORD_STORE_DIR=~/code/app/secrets
$ pass ls
+-- production
|-- api_token
+-- user

$ export PASSWORD_STORE_DIR=~/code/app/secrets
$ export USER=`pass show production/user`
$ export TOKEN=`pass show production/api_token`
$ heroku config:set GITHUB_USER=$USER
GITHUB_API_TOKEN=$TOKEN

$ export PASSWORD_STORE_DIR=~/code/app/secrets
$ export MY_ID=5244D411CD7CBA95
$ export ADAS_ID=44A7B1E354AF81E2
$ export ALANS_ID=BA29EE533AF39B21
$ pass init $MY_ID $ADAS_ID $ALANS_ID

$ cat ~/code/app/secrets/.gpg_id
5244D411CD7CBA95
44A7B1E354AF81E2
BA29EE533AF39B21

$ export PASSWORD_STORE_DIR=~/code/app/secrets
$ export MY_ID=5244D411CD7CBA95
$ export ADAS_ID=44A7B1E354AF81E2
$ pass init $MY_ID $ADAS_ID

$ cat ~/code/app/secrets/.gpg_id
5244D411CD7CBA95
44A7B1E354AF81E2

Join the conversation #devseccon
Find an online version of this talk:
https://jakob.io/devseccon16

More Related Content

What's hot (20)

PDF

Open Canary - novahackersChris Gates

PDF

The journey of asyncio adoption in instagramJimmy Lai

PDF

Экспресс-анализ вредоносов / Crowdsourced Malware TriagePositive Hack Days

PPTX

Monitoring patterns for mitigating technical riskItai Frenkel

ODP

2014 ZAP Workshop 2: Contexts and FuzzingSimon Bennetts

PPTX

Malware Detection with OSSEC HIDS - OSSECCON 2014Santiago Bassett

PDF

Статический анализ кода в контексте SSDLPositive Hack Days

PDF

Snake bites : Python for PentestersAnant Shrivastava

PPTX

Advanced Weapons Training for the EmpireJeremy Johnson

PDF

N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...gmaran23

ODP

2014 ZAP Workshop 1: Getting StartedSimon Bennetts

PDF

Faraday Blackhat 2011 ArsenalFrancisco Müller Amato

PDF

SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...EC-Council

PPTX

Иван Новиков «Elastic search»Mail.ru Group

ODP

OWASP 2013 APPSEC USA ZAP HackathonSimon Bennetts

PPTX

Syntribos API Security Test AutomationMatthew Valdes

ODP

OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014gmaran23

ODP

BSides Manchester 2014 ZAP Advanced FeaturesSimon Bennetts

PPTX

Security in PHP - 那些在滲透測試的小技巧Orange Tsai

ODP

OWASP 2013 APPSEC USA Talk - OWASP ZAPSimon Bennetts

Open Canary - novahackersChris Gates

The journey of asyncio adoption in instagramJimmy Lai

Экспресс-анализ вредоносов / Crowdsourced Malware TriagePositive Hack Days

Monitoring patterns for mitigating technical riskItai Frenkel

2014 ZAP Workshop 2: Contexts and FuzzingSimon Bennetts

Malware Detection with OSSEC HIDS - OSSECCON 2014Santiago Bassett

Статический анализ кода в контексте SSDLPositive Hack Days

Snake bites : Python for PentestersAnant Shrivastava

Advanced Weapons Training for the EmpireJeremy Johnson

N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...gmaran23

2014 ZAP Workshop 1: Getting StartedSimon Bennetts

Faraday Blackhat 2011 ArsenalFrancisco Müller Amato

SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...EC-Council

Иван Новиков «Elastic search»Mail.ru Group

OWASP 2013 APPSEC USA ZAP HackathonSimon Bennetts

Syntribos API Security Test AutomationMatthew Valdes

OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014gmaran23

BSides Manchester 2014 ZAP Advanced FeaturesSimon Bennetts

Security in PHP - 那些在滲透測試的小技巧Orange Tsai

OWASP 2013 APPSEC USA Talk - OWASP ZAPSimon Bennetts

Viewers also liked (20)

PDF

Dev seccon london 2016 intelliment securityDevSecCon

PPT

DevSecOps Singapore introductionStefan Streichsbier

PDF

RoboCop: Bringing Law and Order to CI/CDFranklin Mosley

PPT

DevSecOps SG Introduction - August MeetupDevSecOpsSg

PDF

CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & RecoveryPriyanka Aash

PDF

Vulnerability Advisor Deep Dive (Dec 2016)Canturk Isci

PPTX

The End of Security as We Know It - Shannon LietzSeniorStoryteller

PPTX

Safely Removing the Last Roadblock to Continuous DeliverySeniorStoryteller

PPTX

Rugged DevOps: Aligning Your Team and Your Powers for SuccessSeniorStoryteller

PDF

Dom & Tom NYC Healthcare Cloud Meetup Case Study (5/4)Dominic Tancredi

PDF

The Art of Identifying Vulnerabilities - CascadiaFest 2015Adam Baldwin

PDF

Continuous Security - Thunderplains 2016Adam Baldwin

PDF

Evident io Continuous Compliance - Mar 2017Sebastian Taphanel CISSP-ISSEP

PDF

How can i find my security blind spots ulf mattsson - aug 2016Ulf Mattsson

PPTX

Null application security in an agile worldStefan Streichsbier

PPTX

Myths and realities of data security and compliance - Isaca Alanta - ulf matt...Ulf Mattsson

PPTX

Cloudsolutionday 2016: Compliance and cost controlling on AWSAWS Vietnam Community

PPTX

Unit testing : what are you missing for securitySuman Sourav

PDF

The Changing Landscape of Information SecurityDevSecOpsSg

PDF

Surrogate dependencies (in node js) v1.0Dinis Cruz

Dev seccon london 2016 intelliment securityDevSecCon

DevSecOps Singapore introductionStefan Streichsbier

RoboCop: Bringing Law and Order to CI/CDFranklin Mosley

DevSecOps SG Introduction - August MeetupDevSecOpsSg

CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & RecoveryPriyanka Aash

Vulnerability Advisor Deep Dive (Dec 2016)Canturk Isci

The End of Security as We Know It - Shannon LietzSeniorStoryteller

Safely Removing the Last Roadblock to Continuous DeliverySeniorStoryteller

Rugged DevOps: Aligning Your Team and Your Powers for SuccessSeniorStoryteller

Dom & Tom NYC Healthcare Cloud Meetup Case Study (5/4)Dominic Tancredi

The Art of Identifying Vulnerabilities - CascadiaFest 2015Adam Baldwin

Continuous Security - Thunderplains 2016Adam Baldwin

Evident io Continuous Compliance - Mar 2017Sebastian Taphanel CISSP-ISSEP

How can i find my security blind spots ulf mattsson - aug 2016Ulf Mattsson

Null application security in an agile worldStefan Streichsbier

Myths and realities of data security and compliance - Isaca Alanta - ulf matt...Ulf Mattsson

Cloudsolutionday 2016: Compliance and cost controlling on AWSAWS Vietnam Community

Unit testing : what are you missing for securitySuman Sourav

The Changing Landscape of Information SecurityDevSecOpsSg

Surrogate dependencies (in node js) v1.0Dinis Cruz

Similar to Jakob Holderbaum - Managing Shared secrets using basic Unix tools (14)

PDF

Boxen: How to Manage an Army of LaptopsPuppet

PPT

Setting up github and ssh keys.pptLovely Professional University

PDF

KCDC- Keeping Secrets Out of Your PipelineGene Gotimer

PDF

Secrets Management and Delivery to Kubernetes PodsSatish Devarapalli

PDF

Securing APIsWSO2

PPTX

Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Chris Gates

PDF

No more (unsecure) secrets, MartyMathias Herberts

PPTX

Nodejsvault austin2019Taswar Bhatti

PPTX

GIT, RVM, FIRST HEROKU APPPavel Tyk

PDF

Can we stop saving docker credentials in plain text now?David Yeung

PDF

Centralise legacy auth at the ingress gateway, SREdayAndrew Kirkpatrick

PDF

Centralise legacy auth at the ingress gatewayAndrew Kirkpatrick

PDF

José Selvi - Historia de un CryptoFAIL [rootedvlc4]RootedCON

KEY

How I Learned to Stop Worrying and Love the Cloud - Wesley Beary, Engine YardSV Ruby on Rails Meetup

Boxen: How to Manage an Army of LaptopsPuppet

Setting up github and ssh keys.pptLovely Professional University

KCDC- Keeping Secrets Out of Your PipelineGene Gotimer

Secrets Management and Delivery to Kubernetes PodsSatish Devarapalli

Securing APIsWSO2

Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Chris Gates

No more (unsecure) secrets, MartyMathias Herberts

Nodejsvault austin2019Taswar Bhatti

GIT, RVM, FIRST HEROKU APPPavel Tyk

Can we stop saving docker credentials in plain text now?David Yeung

Centralise legacy auth at the ingress gateway, SREdayAndrew Kirkpatrick

Centralise legacy auth at the ingress gatewayAndrew Kirkpatrick

José Selvi - Historia de un CryptoFAIL [rootedvlc4]RootedCON

How I Learned to Stop Worrying and Love the Cloud - Wesley Beary, Engine YardSV Ruby on Rails Meetup

More from DevSecCon (20)

PDF

DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...DevSecCon

PDF

DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?DevSecCon

PDF

DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...DevSecCon

PDF

DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon

PPTX

DevSecCon Seattle 2019: Containerizing IT Security KnowledgeDevSecCon

PPTX

DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...DevSecCon

PPTX

DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...DevSecCon

PPTX

DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...DevSecCon

PDF

DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...DevSecCon

PPTX

DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...DevSecCon

PDF

DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...DevSecCon

PDF

DevSecCon Singapore 2019: Workshop - Burp extension writing workshopDevSecCon

PDF

DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscapeDevSecCon

PDF

DevSecCon Singapore 2019: Web Services aren’t as secure as we thinkDevSecCon

PDF

DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...DevSecCon

PDF

DevSecCon Singapore 2019: The journey of digital transformation through DevSe...DevSecCon

PDF

DevSecCon Singapore 2019: Preventative Security for KubernetesDevSecCon

PPTX

DevSecCon London 2018: Is your supply chain your achille's heelDevSecCon

PPTX

DevSecCon London 2018: Get rid of these TLS certificatesDevSecCon

PDF

DevSecCon London 2018: Open DevSecOpsDevSecCon