[cryptography] Keyspace: client-side encryption for key/value stores

Tony Arcieri tony.arcieri at gmail.com
Thu Mar 21 03:33:29 EDT 2013

Keyspace is a bit different from an OS "keychain" in that it's a networked
system, designed to be centrally managed by the holders of a writecap,
accessed by holders of the readcap, and with the verifycap on the server to
determine the authenticity of values published by administrators with

My initial (and continued) goal is to use it to centrally manage secure
configuration data, but again, I think it's generally applicable as
client-side security for distributed key/value databases. That definitely
transcends whatever secure key storage an OS provides for a single node.

On Thu, Mar 21, 2013 at 12:07 AM, Jeffrey Walton <noloader at gmail.com> wrote:

> On Thu, Mar 21, 2013 at 2:52 AM, Tony Arcieri <tony.arcieri at gmail.com>
> wrote:
> > https://github.com/livingsocial/keyspace
> >
> > tl;dr: Keyspace provides "least authority" client-side encryption for
> > key/value stores using NaCl's crypto_secretbox (XSalsa20 + Poly1305) and
> > Ed25519 as part of a capability-based security model.
> >
> > One problem I've dealt with quite frequently when deploying web
> applications
> > is how to keep sensitive configuration files (e.g. database credentials)
> > secret. I've longed for a system that provides end-to-end confidentiality
> > and data integrity. I think a reasonable goal is to never store secrets
> on
> > disk in plaintext form, and try to isolate all secret management to the
> heap
> > of the process in question. It's not perfect, and an attacker could still
> > get keys out of RAM, but it's certainly better than plaintext on disk
> > guarded by file permissions alone, which is the status quo as far as I
> can
> > tell.
> On Windows and Apple platforms, one usually defers to the OS. For
> Windows, you would use the Data Protection API (DPAPI)
> (http://msdn.microsoft.com/en-us/library/ms995355.aspx). For Apple,
> you would use a Keychain
> (
> https://developer.apple.com/library/mac/#documentation/security/Reference/keychainservices/Reference/reference.html
> ).
> Android 4.0 and above also offer a Keychain
> (http://developer.android.com/reference/android/security/KeyChain.html).
> If using a lesser version, use a Keystore
> (http://developer.android.com/reference/java/security/KeyStore.html).
> Some of Apple's Keychains appear to be broken at the moment, so its
> hit or miss whether the secret is actually protected. Confer:
> http://lists.apple.com/archives/apple-cdsa/2013/Mar/msg00038.html and
> http://lists.apple.com/archives/apple-cdsa/2013/Mar/index.html.
> Linux has not warmed up to the fact that userland needs help in
> storing secrets from the OS.
> Jeff

Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20130321/bface462/attachment.html>

More information about the cryptography mailing list