Thursday 5 May 2016

Keeping Secrets Secret with Vamos Deploy

How should you distribute application configuration that needs to be kept private? This is easy with Vamos Deploy.

Applications generally need configuration in order to do their job in the environment they used. Some configuration can be viewed publicly and some needs to be kept secret. Vamos Deploy caters for the distribution of both. Here we will show how to use Vamos Deploy and OpenSSL to distribute a secret.

Our secret will be the phrase 'Hello, World.' for this simple example. We have created a grid called Neptune which encapsulates just one application (called secrets) which will use our secret phrase.

$ vamos grid Neptune info
Gridname       : Neptune
Edit status    : Unfrozen
Change status  : Unchanged
Owner group    : vamos
Release group  : vamos
Applications   : secrets                   1.0.0      uat      Linux
Repos          : arepo-centos7-alpha       Linux

Lets encrypt our secret phrase and add to the grid. First we generate RSA public and private keys. Then use openssl to create a pem file which we then use to encrypt the secret.

$ ssh-keygen -t rsa -b 2048 -C "nathancope@vamosdeploy.com”
$ openssl rsa -in ~/.ssh/id_rsa -pubout > ~/.ssh/id_rsa.pub.pem
$ secret=$(echo Hello, World. \
         | openssl rsautl -encrypt -pubin -inkey ~/.ssh/id_rsa.pub.pem \
         | base64 -w0) 

Now we add 'secret' to our grid.

$ vamos grid Neptune addproperty secret_phrase $secret

$ vamos grid Netune info
Gridname       : Neptune
Edit status    : Unfrozen
Change status  : Unchanged
Owner group    : vamos
Release group  : vamos
Applications   : moon                   1.0.0      uat      Linux
Properties     : secret_phrase = BarhaR4OSDuX6H90ZfTxYPNPs93yik6hPeasvVYK5O3xPaTeur2kqRBOT+HHmTVIJIx8LEPtG5EatVfUat9dcVagECgc1rWaT5blNlRN6f3iRuARs9NJpDAHACqt1+i1lVGri8vXCFzvoTjnY8UEvw6pfSM2gMsNgeXQ8QTkmEkehPiCqbOfFRB+tqMbPKQV0maQXWFlGFvPoWcQaQYsJ0hKhsLbPDtaK5GM3BUgml08PZKicySPOVTB4wKBbMcqkK43L4bHQjMXkyPT2ZTsCKs5AoJyp+gb4/sqhx0sSI/3Xf986OWKyZYJ0BBAlnUZwffahfSxkec0ghTc6juTCA==
Repos          : arepo-centos7-alpha       Linux  

Now, what is public is the encrypted version of our secret phrase. Anyone that has the public key can encrypt but only people with the private key can decrypt. Oh the power of RSA!

Now to decrypt and print the secret phrase. Our application 'moon' uses openssl to decrypt using the private key:

$ /vamos/ARepo/grids/Neptune/moon/bin/show_secrets.sh 
Hello, World. 

Lets have a look at the code of show_secrets.sh:

#! /bin/bash

# This is a really useful technique that we use alot in Vamos Deploy
_whence="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
_props_dir="$( cd $_whence/../../properties && pwd )"

# This file is always present in this location and contains the properties for this grid
source $_props_dir/grid.properties

# This is just for this example. We don't recommend displaying the secret :)
echo -n "The secret message is : "
echo $secret_phrase | base64 -d | openssl rsautl -decrypt -inkey ~/.ssh/id_rsa

How would we set this up in a live system? The public key (id_rsa.pub.pem) can be displayed on a wiki or live on a public drive. The corresponding private key (id_rsa) needs to be installed (in the .ssh directory) only on the hosts that need to decrypt secrets. You can use these pair of keys to distribute as many secrets on as many grids on as many hosts as you want.