Pass a default EncryptionContext on calls to KMS #136
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Using the credential name and version as Additional Authentication Data (AAD) can mitigate ciphertext replacement attacks on the DynamoDB backend. Bumps the version to 2.0.0 as it is backwards incompatible with older versions of credstash which didn't set an EncryptionContext by default. Upgrading from older versions is possible by running ./migrations/credstash-migrate-encryption-context.py This will re-encrypt secrets with the default EncryptionContext.
|
Any thoughts on what might need to be added to get this merged? cc @alex-luminal |
|
Took a cursory look at it looks good. Will take a closer look tonight/tomorrow and should be able to get it merged. |
|
Hi @alex-luminal sorry for pestering you on this. Anything I can do to help get this merged? |
|
@davbo Apologies for taking so long to get back to you. I'm working on the next version of credstash and I'm planning to pull these changes in. Thank you for the PR. Stay tuned! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This addresses #134. As discussed there: setting an EncryptionContext gives some nice benefits such as preventing credentials being swapped in the storage backend.
Credentials
putwith this version of credstash cannot be retrieved by older versions without specifying the context explicitly. This backward incompatibility is why I bumped the version to 2.0.0. For now it is possible for this version togetcredentialsputby older versions. This way people can upgrade the version of credstash in use then using the migrate script update all credentials to have an EncryptionContext attached.I'm not sure what a change like this would mean for other "credstash compatible" libraries either.
Any suggestions for changes or documentation to help existing users upgrade would be appreciated.