# Safely transferring code secrets
(very much a work in progress)
[](https://codecov.io/gh/thebjorn/seeqret)
<!-- @import "[TOC]" {cmd="toc" depthFrom=1 depthTo=6 orderedList=false} -->
<!-- code_chunk_output -->
- [Safely transferring code secrets](#safely-transferring-code-secrets)
- [Introduction](#introduction)
- [Prior art...](#prior-art)
- [Assumptions](#assumptions)
- [Minimum Requirements](#minimum-requirements)
- [Use cases](#use-cases)
- [Code](#code)
<!-- /code_chunk_output -->
## Introduction
How do you communicate the set of secrets (passwords, API keys, etc.) that your code needs to run? You can't just write them in the code, because that would expose them to anyone who can read the code. You can't just send them in an email, because that would expose them to anyone who can read your email. You can't just write them on a sticky note, because that would expose them to anyone who can read your sticky note.
### Prior art...
There are many ways to store and use secrets, e.g.:
- **Environment variables**: It is popular, in e.g. kubernetes and javascript, to read secrets from environment variables. For development these are stored in .env files that are not checked into git/svn. These files contain the secrets in plain-text. Transferring secrets to a new server/devloper is a manual process where you create a new file and somehow get access to the secrets.
- **Key vaults**: E.g. Secureden or HashiCorp Vault (can be self hosted). These are usually expensive or complex to set up - or both. Key vaults usually have an API that you can use to get the secrets (setting this up is also expensive/complex/both).
- **Secret management services**: These are hosted key vaults, e.g. AWS Secrets Manager, Google Secret manager, Azure Key Vault, or hosted HashiCorp Vault. There is always an associated api to read the secrets. This can incur significant costs for large numbers of secrets and/or high usage.
- **Encrypted files**: This is usually a key/value file (.json/.yaml), where only the values are encrypted (e.g. [SOPS](https://github.com/getsops/sops). Every developer must have the same key to be able to use the file, but the file can be stored in git/svn.
## Assumptions
You can make the following assumptions:
- https is secure
- the encryption algorithms are secure
- encrypted directories (Windows) are secure
```bat
attrib +I %1
icacls %1 /grant %USERDOMAIN%\%USERNAME%:(F) /T
icacls %1 /inheritance:r
cipher /e %1
```
- [encrypted private directories](https://help.ubuntu.com/community/EncryptedPrivateDirectory) (Ubuntu) are secure.
- `0600` (read/write by owner only) directories (linux) are safe provided the user is not compromised.
## Minimum Requirements
1. different users/systems should have access to different subsets of the secrets.
2. the secrets should not exist in plain-text when they are not used (e.g. a
database password is only _used_ when logging into the database - it shouldn't exist in memory outside of this process[^3]).
3. a subset of secrets needs to be **shared with new developers** in a secure way.
4. there should be a command line utility (`secrets`) to
- `secrets set <key> <value>`: set a secret
- `secrets get <key>`: get a secret
- `secrets export <user> <keys..>` export a subset of the secrets for transmission (e.g. by email) to a new developer
- `secrets import <keys..>` import keys received by e.g. email
5. and a library/API to
- `secrets.get(key)`: get a secret (this should be a fast O(1) operation)
5. the secrets should be easy to update[^1].
6. it should be possible to backup the secrets.
7. _(bonus)_: the secrets should be easy to rotate[^2].
8. _(bonus)_: the secrets should be auditable[^4].
# Use cases
1. **Starting from scratch:** How do you set up the secrets system?
2. **Inviting users:** How do you invite users and how do you communicate the secrets to them?
3. **Adding a secret:** How do you communicate a new secret to the users?
4. **Updating a secret:** How do you communicate an update to a secret?
5. **New user:** How does a new user get access to the secrets?
6. **Backup:** How do you backup the secrets and what is needed to restore the backup?
7. **Developer leaves:** How do you revoke access to the secrets for a developer that leaves?
# Code
The code in the `filecrypt.py` file is from [Asymetric Encryption](https://www.youtube.com/watch?v=bd5nsMscPo0) which is well worth watching...
The code in `pgp_filecrypt.py` contains the code needed to do pgp encryption/decryption (here you need to set the trust level when importing keys to the people you want to send encrypted messages to).
[^1]: Updating means manually changing the secret (both in the storage and the service it protects), e.g. when a password expires/is compromised/a devloper leaves/etc.
[^2]: Rotation is the process of periodically updating a secret. Ideally this
is an automatic process that e.g. changes both the secret storage and the
service it protects.
[^3]: This is a defense-in-depth measure (in case the sanitizer fails to remove the secret from any traceback/logs/etc.)
[^4]: Auditing means checking who has access to the secrets, which secrets were accessed, and when.
Raw data
{
"_id": null,
"home_page": "https://github.com/thebjorn/seeqret.git",
"name": "seeqret",
"maintainer": null,
"docs_url": null,
"requires_python": null,
"maintainer_email": null,
"keywords": "secrets, gpg, pgp",
"author": "Bjorn",
"author_email": null,
"download_url": "https://files.pythonhosted.org/packages/6f/56/d94e254abc24f6cf9894387cb9267d934972295093c672dc743fe605c4d5/seeqret-0.0.9.tar.gz",
"platform": null,
"description": "# Safely transferring code secrets\n(very much a work in progress)\n\n[](https://codecov.io/gh/thebjorn/seeqret)\n\n\n\n<!-- @import \"[TOC]\" {cmd=\"toc\" depthFrom=1 depthTo=6 orderedList=false} -->\n\n<!-- code_chunk_output -->\n\n- [Safely transferring code secrets](#safely-transferring-code-secrets)\n - [Introduction](#introduction)\n - [Prior art...](#prior-art)\n - [Assumptions](#assumptions)\n - [Minimum Requirements](#minimum-requirements)\n- [Use cases](#use-cases)\n- [Code](#code)\n\n<!-- /code_chunk_output -->\n\n\n\n## Introduction\n\nHow do you communicate the set of secrets (passwords, API keys, etc.) that your code needs to run? You can't just write them in the code, because that would expose them to anyone who can read the code. You can't just send them in an email, because that would expose them to anyone who can read your email. You can't just write them on a sticky note, because that would expose them to anyone who can read your sticky note.\n\n### Prior art...\n\nThere are many ways to store and use secrets, e.g.:\n\n- **Environment variables**: It is popular, in e.g. kubernetes and javascript, to read secrets from environment variables. For development these are stored in .env files that are not checked into git/svn. These files contain the secrets in plain-text. Transferring secrets to a new server/devloper is a manual process where you create a new file and somehow get access to the secrets.\n\n- **Key vaults**: E.g. Secureden or HashiCorp Vault (can be self hosted). These are usually expensive or complex to set up - or both. Key vaults usually have an API that you can use to get the secrets (setting this up is also expensive/complex/both).\n\n- **Secret management services**: These are hosted key vaults, e.g. AWS Secrets Manager, Google Secret manager, Azure Key Vault, or hosted HashiCorp Vault. There is always an associated api to read the secrets. This can incur significant costs for large numbers of secrets and/or high usage.\n \n- **Encrypted files**: This is usually a key/value file (.json/.yaml), where only the values are encrypted (e.g. [SOPS](https://github.com/getsops/sops). Every developer must have the same key to be able to use the file, but the file can be stored in git/svn.\n\n## Assumptions\nYou can make the following assumptions:\n\n- https is secure\n- the encryption algorithms are secure\n- encrypted directories (Windows) are secure\n ```bat\n attrib +I %1\n icacls %1 /grant %USERDOMAIN%\\%USERNAME%:(F) /T\n icacls %1 /inheritance:r\n cipher /e %1\n ```\n- [encrypted private directories](https://help.ubuntu.com/community/EncryptedPrivateDirectory) (Ubuntu) are secure.\n- `0600` (read/write by owner only) directories (linux) are safe provided the user is not compromised.\n\n## Minimum Requirements\n1. different users/systems should have access to different subsets of the secrets.\n2. the secrets should not exist in plain-text when they are not used (e.g. a\n database password is only _used_ when logging into the database - it shouldn't exist in memory outside of this process[^3]).\n3. a subset of secrets needs to be **shared with new developers** in a secure way.\n4. there should be a command line utility (`secrets`) to\n - `secrets set <key> <value>`: set a secret\n - `secrets get <key>`: get a secret\n - `secrets export <user> <keys..>` export a subset of the secrets for transmission (e.g. by email) to a new developer\n - `secrets import <keys..>` import keys received by e.g. email\n5. and a library/API to\n - `secrets.get(key)`: get a secret (this should be a fast O(1) operation)\n5. the secrets should be easy to update[^1].\n6. it should be possible to backup the secrets.\n7. _(bonus)_: the secrets should be easy to rotate[^2].\n8. _(bonus)_: the secrets should be auditable[^4].\n\n# Use cases\n\n1. **Starting from scratch:** How do you set up the secrets system?\n2. **Inviting users:** How do you invite users and how do you communicate the secrets to them?\n3. **Adding a secret:** How do you communicate a new secret to the users?\n4. **Updating a secret:** How do you communicate an update to a secret?\n5. **New user:** How does a new user get access to the secrets?\n6. **Backup:** How do you backup the secrets and what is needed to restore the backup?\n7. **Developer leaves:** How do you revoke access to the secrets for a developer that leaves?\n\n\n# Code\nThe code in the `filecrypt.py` file is from [Asymetric Encryption](https://www.youtube.com/watch?v=bd5nsMscPo0) which is well worth watching...\n\nThe code in `pgp_filecrypt.py` contains the code needed to do pgp encryption/decryption (here you need to set the trust level when importing keys to the people you want to send encrypted messages to).\n\n\n[^1]: Updating means manually changing the secret (both in the storage and the service it protects), e.g. when a password expires/is compromised/a devloper leaves/etc.\n\n[^2]: Rotation is the process of periodically updating a secret. Ideally this\nis an automatic process that e.g. changes both the secret storage and the\nservice it protects.\n\n[^3]: This is a defense-in-depth measure (in case the sanitizer fails to remove the secret from any traceback/logs/etc.)\n\n[^4]: Auditing means checking who has access to the secrets, which secrets were accessed, and when.\n",
"bugtrack_url": null,
"license": null,
"summary": "Safely transferring code secrets",
"version": "0.0.9",
"project_urls": {
"Homepage": "https://github.com/thebjorn/seeqret.git"
},
"split_keywords": [
"secrets",
" gpg",
" pgp"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "ab67aa12a51d34f82d6b6a5c2905438dd7708363bc4c91fa897b94426b7616f0",
"md5": "27bcd9191027146ec0bf688e5a4b68c7",
"sha256": "b0804565bec01fbe1acf95c1589b43df4a359ef2983ed215d45fa645f7193c8c"
},
"downloads": -1,
"filename": "seeqret-0.0.9-py3-none-any.whl",
"has_sig": false,
"md5_digest": "27bcd9191027146ec0bf688e5a4b68c7",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": null,
"size": 16601,
"upload_time": "2024-12-22T05:57:53",
"upload_time_iso_8601": "2024-12-22T05:57:53.738369Z",
"url": "https://files.pythonhosted.org/packages/ab/67/aa12a51d34f82d6b6a5c2905438dd7708363bc4c91fa897b94426b7616f0/seeqret-0.0.9-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "6f56d94e254abc24f6cf9894387cb9267d934972295093c672dc743fe605c4d5",
"md5": "04cc314169aa0cd473c12831254eb4f8",
"sha256": "9c548bf95772750d149fb4dfdbc83db3d23be2e7742384d1deae61fac6db24d6"
},
"downloads": -1,
"filename": "seeqret-0.0.9.tar.gz",
"has_sig": false,
"md5_digest": "04cc314169aa0cd473c12831254eb4f8",
"packagetype": "sdist",
"python_version": "source",
"requires_python": null,
"size": 17326,
"upload_time": "2024-12-22T05:57:54",
"upload_time_iso_8601": "2024-12-22T05:57:54.750693Z",
"url": "https://files.pythonhosted.org/packages/6f/56/d94e254abc24f6cf9894387cb9267d934972295093c672dc743fe605c4d5/seeqret-0.0.9.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-12-22 05:57:54",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "thebjorn",
"github_project": "seeqret",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"requirements": [
{
"name": "rsa",
"specs": []
},
{
"name": "python-gnupg",
"specs": []
},
{
"name": "cryptography",
"specs": []
},
{
"name": "pynacl",
"specs": []
},
{
"name": "click",
"specs": []
},
{
"name": "rich",
"specs": []
},
{
"name": "requests",
"specs": []
},
{
"name": "pytest",
"specs": []
},
{
"name": "pytest-cov",
"specs": []
},
{
"name": "mkdocs",
"specs": []
},
{
"name": "flake8",
"specs": []
}
],
"lcname": "seeqret"
}
JSON
