[cryptography] Keyspace: client-side encryption for key/value stores

Jeffrey Walton noloader at gmail.com
Thu Mar 21 03:07:28 EDT 2013


On Thu, Mar 21, 2013 at 2:52 AM, Tony Arcieri <tony.arcieri at gmail.com> wrote:
> https://github.com/livingsocial/keyspace
>
> tl;dr: Keyspace provides "least authority" client-side encryption for
> key/value stores using NaCl's crypto_secretbox (XSalsa20 + Poly1305) and
> Ed25519 as part of a capability-based security model.
>
> One problem I've dealt with quite frequently when deploying web applications
> is how to keep sensitive configuration files (e.g. database credentials)
> secret. I've longed for a system that provides end-to-end confidentiality
> and data integrity. I think a reasonable goal is to never store secrets on
> disk in plaintext form, and try to isolate all secret management to the heap
> of the process in question. It's not perfect, and an attacker could still
> get keys out of RAM, but it's certainly better than plaintext on disk
> guarded by file permissions alone, which is the status quo as far as I can
> tell.
On Windows and Apple platforms, one usually defers to the OS. For
Windows, you would use the Data Protection API (DPAPI)
(http://msdn.microsoft.com/en-us/library/ms995355.aspx). For Apple,
you would use a Keychain
(https://developer.apple.com/library/mac/#documentation/security/Reference/keychainservices/Reference/reference.html).

Android 4.0 and above also offer a Keychain
(http://developer.android.com/reference/android/security/KeyChain.html).
If using a lesser version, use a Keystore
(http://developer.android.com/reference/java/security/KeyStore.html).

Some of Apple's Keychains appear to be broken at the moment, so its
hit or miss whether the secret is actually protected. Confer:
http://lists.apple.com/archives/apple-cdsa/2013/Mar/msg00038.html and
http://lists.apple.com/archives/apple-cdsa/2013/Mar/index.html.

Linux has not warmed up to the fact that userland needs help in
storing secrets from the OS.

Jeff



More information about the cryptography mailing list