FAQ | This is a LIVE service | Changelog

Commit 0e255857 authored by Tony Finch's avatar Tony Finch

talks: WIP

parent d0de199a
BIBTEX= bibtex
PDFLATEX= pdflatex
talk: slides.pdf notes.pdf
${PDFLATEX} notes.tex
${BIBTEX} notes
${PDFLATEX} notes.tex
${PDFLATEX} notes.tex
handout.ps: slides.ps
psnup -W12.6cm -H9.6cm -pa4 -r -2 slides.ps |\
sed '/BoundingBox:/d' |\
psnup -b1cm -2 >handout.ps
slides.ps slides.pdf slides.dvi: talk.tex slides.tex
notes.ps notes.pdf notes.dvi: talk.tex notes.tex
rm -f *.aux *.bbl *.blg *.log *.nav *.out *.snm *.toc *.vrb
realclean: clean
rm -f *.pdf *.ps *.dvi *.html
rm -f core *.core '#'*'#' *~
.SUFFIXES: .tex .dvi .pdf .ps .md .html
pdf2ps $<
markdown <$< >$@
% turn off PDF title because the subtitle causes junk to be inserted
\setbeamertemplate{navigation symbols}{}
\setbeamertemplate{itemize items}[square]
% This file is included by notes.tex and slides.tex
\usepackage{pifont} % dingbats
\usepackage{calc} % for frame column width calculations
\usepackage[normalem]{ulem} % for strikeout
% args: size, file, URL
% args: title, body
% args: (optional) image width, image file, image URL, slide title
% common metadata
Tony~Finch \\
\email{fanf2@cam.ac.uk} \\
Network Systems (RNB 1N52)%
University Information Services%
% title page
safely store server secrets
\date{Tuesday 21st November 2017}
The \regpg program is a thin wrapper around \gpg for encrypting
secrets so they can be stored and shared using \git and decrypted
when Ansible deploys them to servers.
\notes {
This talk is in two main sections.
I will start off by explaining some of the context and thinking
behind \regpg by unpacking its slogan backwards.
\item Context
\item secrets?
\item server?
\item store?
\item safely?
\item \regpg?
Then I'll give a demo of \regpg's main features, in roughly the same
order as its reference manual.
\item Demo
\item keys
\item secrets
\item X.509 / TLS
\item Ansible
\item conversion
In the first part, we'll discuss what \regpg is and what it is not.
The secrets we are working with are cryptographic keys
\item private keys
\item bearer tokens
\item shared secrets
We have hundreds of them. They need to be shared with the right
people and kept secret from the wrong people.
It's a key distribution problem.
}{secrets - encryption}
We can massively reduce the size of the problem by encrypting
the secrets with a small number of master secrets.
For example, I used to encrypt secrets using the root password.
This reduces the key distribution to previously solved problems:
\item password distribution
\item non-secret file distribution (i.e. git)
}{secrets - Shamir / Rivest / Adleman}
But we can do better with public key cryptography.
Each person keeps their own private key - there's no need to
distribute any master secrets. We know how to do this because we
already do it for \ssh keys.
We distribute the public keys of each person who can decrypt, which
gives us a kind of auditable record of who has access to secrets.
We can revoke a person's access if we can destroy all the copies of
their private key, without having to replace all the secrets.
You only need the public keys to encrypt a secret, which means an
automated system can manage its own keys without having access to
all the other secrets in a repository.
The specific kinds of secrets we are dealing with are used by
servers to authenticate themselves -
\item \ssh host private keys
\item TLS private keys
\item API keys
\item DNS TSIG shared secrets
\item etc.
These have to be available unencrypted on the server.
We're not dealing with user passwords.
We're not trying to be a password manager.
}{server - files}
It's often the case that each server secret is in a file by itself -
that's true for \ssh and TLS and DNS keys.
\regpg works best when each secret is in a file by itself. You can
use filenames to identify secrets without having to decrypt them.
Keeping secrets strictly separate from non-secret code and
configuration helps \git \code{diff} to works better.
\regpg does not have any hooks into \git for automatically
decrypting and \code{diff}ing secrets because secrets are blobs of
random data for which \code{diff} is useless.
\regpg is for encrypting files for storage when they are not in use,
and decrypting them for deployment to production.
The other verb that might have fitted in this place is ``share'',
but \regpg is not directly about sharing.
\regpg stores secrets in a way that works with \git or other version
control systems, but \regpg does not get involved with \git. You use
\git for sharing secrets in the same way you us it for sharing code
or configuration.
I have tried a few times to write wrappers that get clever with \git
and they have usually been dismal failures. \regpg does not get
clever with \git.
}{safely - hazmat containment}
There are a couple of aspects to being safe with \regpg, and both of
them relate to dissatisfaction with \code{ansible-vault}.
The first is safe cryptography.
\regpg keeps well away from any low-level primitives. I did a code
review of \code{ansible-vault} and it uses a cryptographic library
that literally has ``HAZMAT'' in its name. And, totally predictably,
\code{ansible-vault} has really bad crypto.
Instead, \regpg relies on \gpg for cryptography. \gpg is terrible
software in many ways, but it is widely available, it has reasonably
competent crypto, and it is also used by \git and Debian.
}{safely - situational awareness}
The other aspect to being safe is psychological safety.
\regpg allows you to make it clear in your Ansible playbook which
files should be encrypted, helps you to find out which files
actually are or are not encrypted, and tells you when things are
This is unlike \code{ansible-vault} which does not let you say
whether something should be encrypted, and encourages you to encrypt
and decrypt in place, and doesn't complain either way, so you can
easily expose secrets by mistake.
\regpg tries to be really easy to understand. It isn't very chatty,
but it also does not hide things from you. I want you to feel
confident that you know how it works and what it is doing.
}{\regpg\ - \url{https://dotat.at/prog/regpg/}}
% eof
Markdown is supported
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment