Ubiquitous Encryption: Using AWS KMS to protect secrets

Draft!

Ubiquitous Encryption

Using AWS KMS

Use case: Storing private keys and certificate files needed for TLS in Nginx (when not using HSM for OpenSSL-offloading or keyless-infra)
$ aws kms create-key --policy file://path/to/policy

The default policy will create a "for your user or role only"-policy

$ aws kms encrypt --key-id 89324897-0zb1-9874-47fh-981273987 \
	--plaintext file://some-ssl.pem --query CiphertextBlob \
	--output text | base64 --decode > some-ssl.pem.encrypted

You now have access to an encrypted file which is ready for storing inside an encrypted S3 bucket or other safe location

Let's create a 50MB secure storage in memory(note ideally you do this for the nginx user so only that one has the ability to pull once) for just root (not adding file-permissions here)

sudo mkdir /mnt/ramdisk
sudo mount -t ramfs none /mnt/ramdisk -o maxsize=50000
sudo dd if=/dev/urandom of=/mnt/ramdisk/cryptedcontainer bs=1M count=50
sudo losetup -f #taking it for granted we have loop0 here
sudo losetup /dev/loop0 /mnt/ramdisk/cryptedcontainer
sudo cryptsetup create --cipher aes-xts-plain --key-size 512 \
	cryptedramdisk /dev/loop0 -d /dev/urandom
sudo badblocks -swt random /dev/mapper/cryptedramdisk #Adding some entropy
sudo mkfs.ext2 /dev/mapper/cryptedramdisk # Creating the filesystem
sudo mkdir /mnt/my-relatively-safe-certificate-key-store
sudo mount /dev/mapper/cryptedramdisk /mnt/my-relatively-safe-certificate-key-store

To decrypt:

aws kms decrypt --ciphertext-blob fileb://some-ssl.pem.encrypted \
	--output text --query Plaintext | base64 \
	--decode > /mnt/my-relatively-safe-certificate-key-store/some-ssl.pem

Windows

aws kms decrypt --ciphertext-blob fileb://some-ssl.pem.encrypted \
	--output text --query Plaintext > some-ssl.pem.base64
certutil -decode some-ssl.pem.base64 some-ssl.pem

If you have your Nginx configuration point to your "relatively-safe-certificate-key-store", simply start/restart it. If you want to make it "safer" you can now unmount the virtual disks since Nginx will keep it in memory. Reload will not be possible since it cannot reload the configuration files. To facilitate all this, I usually rewrite the stop/start/reload scripts to run the mounting sequence each and every time.

Clean-up steps:

sudo umount /mnt/cryptedramdisk
sudo cryptsetup remove cryptedramdisk
sudo losetup -d /dev/loop0
shred -ufv /mnt/ramdisk/cryptedcontainer #for the paranoid overwritting mem x3
sudo umount /mnt/ramdisk
Author: Angelique Dawnbringer Published: 2016-05-29 14:06:26 Keywords:
  • Ubiquitous Encryption
  • GDPR
  • AWS KMS
Modified: 2017-11-05 20:38:36