Show HN: SecretCrypt – Keeping secrets in plain sight

&gt; Since the configuration file is kept in the same repository as the code, configuration options or secrets can easily be changed or added by developers themselves.<p>This is terrible advice. Code and config should be separate. Otherwise you can&#x27;t deploy the same <i>code</i> to a different environment.

Using KMS is a good idea, but I&#x27;m not really sure what this package gives you - just a simple abstraction &#x2F; cmdline to deal with it?<p>This would be better if it could use the aliases directly, so you could have one config across N environments and separate them by AWS keyspace.<p>Having to embed the full KMS path for each key gains you the secret management they claim (which is a good thing) but sacrifices ease of use. That said, aliases wouldn&#x27;t help with missing secrets or misconfiguration across environments, and its a lot easier to audit string-for-string to match your KMS store, so either approach has its pluses and minuses.

How is this different from&#x2F;better than Stack Exchange&#x27;s blackbox[0] which doesn&#x27;t require a third-party service (just plain-ole gpg) and is written in bash?<p>[0] <a href="https:&#x2F;&#x2F;github.com&#x2F;StackExchange&#x2F;blackbox" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;StackExchange&#x2F;blackbox</a><p>P.S.: I think the image looks aesthetically pleasing, but why is it there? It&#x27;s a scaled-down 1,600x680px image that costs me 140KB and doesn&#x27;t add anything to the article; what&#x27;s worse is that it&#x27;s not even a nice banner image, it&#x27;s just smack dab in the middle of the article.

So... storing your secrets in AWS then... and not in plain sight.

I like this design. Infrastructure as code. Store your config data in you repo. Screw 12 factors.<p>You can do this with the inhouse AWS tools, awscli and boto3 for python This was for use within a python lambda function so i used the secrets in a seperate file, but no loss of generality here.<p>* Create your keys in KMS via Web UI or otherwise * encrypt your secrets before commit aws kms encrypt --key-id alias&#x2F;TokenKey --plaintext fileb:&#x2F;&#x2F;unencrypted_token --output text --query CiphertextBlob &gt; encrypted_token<p>Decrypt the token from your python lambda function with boto3<p>kms = boto3.client(&#x27;kms&#x27;) token = kms.decrypt(CiphertextBlob=base64.b64decode(token_encrypted))[&#x27;Plaintext&#x27;].decode(&#x27;ascii&#x27;)<p>The blob from KMS contains the appropriate fields for decryption from their service. Give the lambda role rights to decrypt with the key.

It should be made clear that this requires AWS KMS, and for automatic decryption, EC2 (so that the instances can be associated with an IAM role that has key decryption permission).

Repository: <a href="https:&#x2F;&#x2F;github.com&#x2F;Zemanta&#x2F;go-secretcrypt" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;Zemanta&#x2F;go-secretcrypt</a>

What happens if Amazon&#x27;s KMS service is down - does that break the app or can you operate ok without it ?

The &quot;write-only&quot; feature could be implemented without a third-party with a keypair.