[cryptography] Keyspace: client-side encryption for key/value stores

Jeffrey Walton noloader at gmail.com
Thu Mar 21 03:07:28 EDT 2013

On Thu, Mar 21, 2013 at 2:52 AM, Tony Arcieri <tony.arcieri at gmail.com> wrote:
> https://github.com/livingsocial/keyspace
> tl;dr: Keyspace provides "least authority" client-side encryption for
> key/value stores using NaCl's crypto_secretbox (XSalsa20 + Poly1305) and
> Ed25519 as part of a capability-based security model.
> One problem I've dealt with quite frequently when deploying web applications
> is how to keep sensitive configuration files (e.g. database credentials)
> secret. I've longed for a system that provides end-to-end confidentiality
> and data integrity. I think a reasonable goal is to never store secrets on
> disk in plaintext form, and try to isolate all secret management to the heap
> of the process in question. It's not perfect, and an attacker could still
> get keys out of RAM, but it's certainly better than plaintext on disk
> guarded by file permissions alone, which is the status quo as far as I can
> tell.
On Windows and Apple platforms, one usually defers to the OS. For
Windows, you would use the Data Protection API (DPAPI)
(http://msdn.microsoft.com/en-us/library/ms995355.aspx). For Apple,
you would use a Keychain

Android 4.0 and above also offer a Keychain
If using a lesser version, use a Keystore

Some of Apple's Keychains appear to be broken at the moment, so its
hit or miss whether the secret is actually protected. Confer:
http://lists.apple.com/archives/apple-cdsa/2013/Mar/msg00038.html and

Linux has not warmed up to the fact that userland needs help in
storing secrets from the OS.


More information about the cryptography mailing list