Skip to content
Snippets Groups Projects

2020-07-08 WPS show-and-tell token encryption

  • Clone with SSH
  • Clone with HTTPS
  • Embed
  • Share
    The snippet can be accessed without any authentication.
    Authored by Andrew W Petro

    Notes supporting presenting 2020-07-08 show-and-tell bit on token encryption

    token-encryption.md 2.37 KiB

    Notes for WPS show-and-tell about token encryption

    Summary

    • Token encryption enables putting cryptotext versions of secrets in source files.
    • MyUW operates T-Crypt, a token encryption service, today. Use it for great good.
    • Relatedly useful but not solving the same problem: LastPass, KeePass.

    What problem are we solving?

    Passwords and API keys are useful. Our running production services need them.

    Passwords and API keys are useful. Adversaries shouldn't have them.

    The less routine access to secrets, the less chance of accidental leak or intentional abuse.

    What's a token?

    Any String. Any bit of text.

    Typically, a password. Or a password-like token.

    But it could be most anything. Username. Property value. Anything you want to keep secret.

    Aside: Password managers

    Keepass

    LastPass Enterprise

    Awesome! But this isn't what we're talking about.

    Aside: one time secret

    https://onetimesecret.com

    Seems... discomforting.

    Anyway, this too isn't what we're talking about.

    What problem are we solving again?

    Using passwords in services.

    Solution today: T-Crypt

    In source:

    peopleSoftPassword=${ENC(urKaxskD-REDACTED-clfss2OZ3ovcjQ==)}

    https://tools.my.wisc.edu/tcrypt/

    (Source.)

    Decrypts in the final build for prod.

    On the plus side, this works. That's worth a lot.

    On the downside, maintaining branches of configuration for different tiers.

    Documentation.

    This should maybe really be a Shared Tool rather than be something MyUW is operating and then there's documentation that it's a Shared Tool.

    Futures

    Hashicorp Vault

    The driver that lets you mount a vault to a Docker container as if it were a file system is really, really cool.

    Could use Vault to model and maintain different configuration for different environments; use same Docker containers / war files configured differently by mounting different vaults at runtime.

    Conclusion

    Most of the time, there's no need to be looking at plaintext passwords.

    Encrypt them using T-Crypt, use the cryptotext everywhere except the final production landing spot for the token.

    0% or .
    You are about to add 0 people to the discussion. Proceed with caution.
    Please register or to comment