Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Secure distribution of secrets (KeyDrop) #27

Open
starekrow opened this issue Dec 14, 2017 · 1 comment
Open

Secure distribution of secrets (KeyDrop) #27

starekrow opened this issue Dec 14, 2017 · 1 comment

Comments

@starekrow
Copy link
Owner

Getting distribution right is apparently hard. I've started a branch for a new module called KeyDrop that will handle that. It will supply all of the guts for a client/server model for secret distribution, with an offline master keyring.

  • You designate a server to store the master keys and vaults and write a trivial wrapper to get HTTP queries into and out of the KeyDrop class for it. This is the KeyDrop server.
  • The KeyDrop server has all the master keys and all the vaults for all the clients, however the master keys are encrypted, and the KeyDrop server is never given the information needed to decrypt them. Compromising the KeyDrop server gains an attacker nothing at all.
  • Each KeyDrop client is assigned an ID and a client key. The client key is stored locally on the client, and its only purpose is to decrypt the master key. The master key is never stored on the client.
  • When the client is running, if it doesn't have a copy of the master key in RAM, it asks the KeyDrop server for the master key. The KeyDrop server returns an encrypted master key, which the client must decode. For efficiency, the master key should then be tucked away somewhere (NOT on the filesystem).
  • The client can also ask the KeyDrop server for a list of updates to that client's vault.
  • A mechanism is provided to push updates to client vaults out to the KeyDrop server. You should provide your own mechanism to force your client to request an update.
  • Another mechanism is provided to organize all the client, vault and shared keys in an encrypted master keyring. This obviously should be kept offline.

I think this actually solves the entire question of how to securely configure a server; each KeyDrop client only needs a couple of items - the client ID and client key - to automatically and securely pull, store and update when needed all the other secrets assigned to that client.

@KJLJon
Copy link
Contributor

KJLJon commented Dec 14, 2017

I think this is a great idea to implement. I will keep my eye on the branch and follow the progress :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants