diff --git a/content/posts/2019-08-25-sign-commits/index.md b/content/posts/2019-08-25-sign-commits/index.md new file mode 100644 index 00000000..6c4752a7 --- /dev/null +++ b/content/posts/2019-08-25-sign-commits/index.md @@ -0,0 +1,114 @@ +--- +slug: "2019/08/15/please-a-bit-more-secure-shell" +title: "Configuring Git" +subtitle: "Sign and multiple identities" +date: 2019-08-25 +#cover: ./evoluon.jpg +#coverDescription: "Evoluon" +#coverLink: "https://goo.gl/maps/WPrtxowKszHqgLNw9" +asciinema: false +#imageFb: ./2019-07-01-multi-cloud-mesh-fb.png +#imageTw: ./2019-07-01-multi-cloud-mesh-tw.png +type: post +#comments: true +tags: + - aws + - shell + - security +authors: + - niek +--- + +Last week I became a happy owner of a new and fresh Mac. That it is a Mac is not even that important for this post. So I tasks my self with setting my system up a bit better, reproducible and more secure. + +Installing software packages is not hard anymore. Several package managers such as `brew` for Mac or `apt-get` for Ubuntu makes installing software a simple tasks already for years. + +Most of you configuration will be store in so called `dotfiles` also for handling dotfiles there are several good options out and many post can be found. I personally like to use [stow](https://www.gnu.org/software/stow/) to link my dotfiles. + +So once I had my software and main configuration installed only a few challenged related to protection and security are left. I never took simply the time to setup my Git configuration well. Two things were really missing, signing and handle multiple Git identities. So let's get them right this time. + +## Signing my commits +Signing digital content is not a new topic, so I will keep it short. For signing your Git commits you need to setup GPG key. An easy way would be using [Keybase](https://keybase.io). And manage your GPG key via Keybase. A second option is to generate your GPG keys using GNU GPG. Another handy tool to let your GPG password store in Keychain is [GPG suite](https://gpgtools.org/). + +### Generate or Import GPG keys +If you do not have a GPG key you need first to generate one. You can do this with the cli `gpg` or using a tool such as Keybase. + +```bash +# Generate your GPG key +gpg --generate-key +``` + +If you would like to manage your GPG keys with Keybase you need to import the GPG key from Keybase into GNU GPG to use in your shell environment. + +```bash +# Export and import public key +keybase pgp export | gpg --import +# Export and import private key +keybase pgp export -s | gpg --allow-secret-key-import --import +``` + +### Verify +You can verify you imported or generated keys as follow +```bash +gpg --list-secret-keys +``` +The result should look like as follow. + +``` +sec rsa4096 2019-08-15 [SC] [expires: 2035-08-11] + +uid [ultimate] Your Name +ssb rsa4096 2019-08-15 [E] [expires: 2035-08-11] +``` + +If you key not marked as trust (or ultimate) but marked as unknown you have to edit your key and set the trust level. `gpg --edit-key`. + +To get my GPG keys working with git I also set the `GPG_TTY` in my profile +```bash +export GPG_TTY=$(tty) +``` + +Finally we have to configure Git. First you need to export your key and upload the public signature for example to GitHub. +```bash +# Export you GPG key +gpg --armor --export +``` +The last step is to configure Git. We have to tell Git which key to use. You can find the key id with `gpg --list-secret-keys`. +```bash +git config --global user.signingkey +``` +Now you are ready to sign your commits by adding the parameter `-S`. or configure Git to sign by default. +```bash +git config --global commit.gpgsign true +``` + +## Multiple Git identities. +I have to deal with at least two Git identities, one based on my work mail and a second one for my public profile on GitHub. For the signing part this is not an issue at all since you can add multiple identities to a GPG key. + +It is not hard to solve this issue if you are ok to organize you local code based on the identity. So for example choose a different root directory for your private and work repo's. You can then activate a Git config based on the dir where you code is. This will result in a `~/.gitconfig` file a shown below. + +``` +[user] + name = Your Name + email = your.mail@home.com + signingkey = KEY_ID +[gpg] + program = gpg + +[includeIf "gitdir:~/projects/work/"] + path = ~/projects/work/.gitconfig + +[includeIf "gitdir:~/projects/home/"] + path = ~/projects/home/.gitconfig + +[commit] + gpgsign = true +``` + +Next add a `.gitconfig` file in the dir that is mentioned in `includeIf`. So for example add the following Git config in `~/projects/work/.gitconfig`. +``` +[user] + email = your.mail@work.com +``` + +As soon you enter a directory below `~/projects/work/` your work email will be used for Git commits. \ No newline at end of file diff --git a/content/posts/2019-08-27-securint-aws-secrets/index.md b/content/posts/2019-08-27-securint-aws-secrets/index.md new file mode 100644 index 00000000..770c8218 --- /dev/null +++ b/content/posts/2019-08-27-securint-aws-secrets/index.md @@ -0,0 +1,117 @@ +--- +slug: "2019/08/27/please-a-bit-more-secure-shell" +title: "Avoiding secrets in plain text" +subtitle: "Please a bit more security in my cli" +date: 2019-08-27 +#cover: ./evoluon.jpg +#coverDescription: "Evoluon" +#coverLink: "https://goo.gl/maps/WPrtxowKszHqgLNw9" +asciinema: true +#imageFb: ./2019-07-01-multi-cloud-mesh-fb.png +#imageTw: ./2019-07-01-multi-cloud-mesh-tw.png +type: post +#comments: true +tags: + - aws + - shell + - security +authors: + - niek +--- + + +# Avoiding storing secrets in plain text + +*This post guide you to store your AWS secrets secure in a password store and use them easy in your bash shell.* + +

+ +  Source code for this post

+ + +Last week I became a happy owner of a new and fresh Mac. That it is a Mac is not even that important for this post. So I tasks my self with setting my system up a bit better, reproducible and more secure. + +So once I had my software and main configuration installed only a few challenged related to protection and security are left. First I would like to sign my GIT commits. Secondly I would find a solution for handling all kind of secrets that on my systems end up in plain text file. Quite crazy nowadays, now using a password manager is becoming quite common. But the challenge is always to find a solution that is secure and also works. + + +## Please no plain secrets +I am using AWS a lot, and unfortunately AWS has not a very good solution to store your secrets encrypted, or even avoid storing them at all. Using secrets in the environment is quite common for many systems. And on your production systems we use typically a system like Vault to keep the secrets secure. + +For handling my secrets locally I choose [pass] a command line password manager to keep my secrets secure. + +### Setup command line password store +After installing pass via brew or any other package manager you need to initialize you password store. Pass requires a GPG key encrypted you password. Would be logical to use a key with a password. +``` +pass init +``` +Next you can start adding your keys to the password store. For example your AWS keys can added as follow. + +```bash +pass insert blog/ws-access-key-id +pass insert blog/aws-access-secret +``` +With `pass ls` you can list the entries in your store. + +``` +├── blog +│   ├── aws-access-key-id +│   ├── aws-access-secret +``` + + +### Using your secrets +Using your secrets is straightforward. You can retrieve a secret as follow `pass blog/aws-access-key-id`. You can start using the AWS cli by setting your access key and secret as follow. + +```bash +export AWS_ACCESS_KEY_ID=$(pass blog/aws-access-key-id) +export AWS_SECRET_ACCESS_KEY=$(pass blog/aws-access-secret) +``` + +Verify your setup by getting you account id `aws sts get-caller-identity`. + +So this works but using it is quite cumbersome. And becomes even harder if you would like to use MFA. For MFA you have first to set an access key and secret to obtain your MFA session. To give an impressions you need to execute the following commands to setup you environment to use MFA> + +``` +session=$(aws sts get-session-token --serial-number \ + arn:aws:iam::123456789:mfa/me --token-code 1234) +echo $session +``` + +You will get response like below which you can parse with `jq` to set the sessions details in your shell. +``` +{ + "Credentials": { + "AccessKeyId": "TMP_ACCESS_KEY", + "SecretAccessKey": "TMP_SECRET", + "SessionToken": "SESSION_TOKEN", + "Expiration": "2019-08-24T03:01:03Z" + } +} +``` + +Set the environment variables. +```bash +export AWS_SESSION_TOKEN=$(echo $session | jq -r '.Credentials.SessionToken') +export AWS_SECRET_ACCESS_KEY=$(echo $session | jq -r '.Credentials.SecretAccessKey') +export AWS_ACCESS_KEY_ID=$(echo $session | jq -r '.Credentials.AccessKeyId') +``` + +So we have now secured our setup but executing those commands for each new shell would be horrible. So I have wrapped the commands show here to a set of simple bash function. + +```bash +source aws-auth-utils.sh + +# Insert secrets for your aws accountX into pass. +aws-pass-insert-access-keys accountX +aws-pass-insert-mfa accountX + +# create a MFA session +aws-mfa-login accountX 123456 + +# verify you can access your account: +aws sts get-caller-identity +``` + + + \ No newline at end of file diff --git a/static/2019/08/27/aws-secrets/awsmfa.json b/static/2019/08/27/aws-secrets/awsmfa.json new file mode 100644 index 00000000..49177cb7 --- /dev/null +++ b/static/2019/08/27/aws-secrets/awsmfa.json @@ -0,0 +1,60 @@ +{"version": 2, "width": 169, "height": 25, "timestamp": 1566595170, "env": {"SHELL": "/bin/zsh", "TERM": "xterm-256color"}} +[0.695607, "o", "\u001b[1m\u001b[7m%\u001b[27m\u001b[1m\u001b[0m \r \r\u001b]2;me@my-mac: ~/bin/aws-auth\u0007\u001b]1;~/bin/aws-auth\u0007"] +[0.723956, "o", "\r\u001b[0m\u001b[27m\u001b[24m\u001b[J\u001b[01;32m➜ \u001b[36maws-auth\u001b[00m \u001b[01;34mgit:(\u001b[31mmaster\u001b[34m)\u001b[00m \u001b[K"] +[0.724222, "o", "\u001b[?1h\u001b=\u001b[?2004h"] +[1.983502, "o", "s"] +[2.212715, "o", "\bso"] +[2.352635, "o", "u"] +[2.44455, "o", "r"] +[2.621648, "o", "ce\u001b[1m \u001b[0m"] +[4.023265, "o", "\b\u001b[0m a"] +[4.333503, "o", "w"] +[4.555857, "o", "s"] +[4.6976, "o", "-"] +[4.890894, "o", "a"] +[5.00715, "o", "u"] +[5.229269, "o", "th-utils.sh\u001b[1m \u001b[0m"] +[6.162436, "o", "\b\u001b[0m \b"] +[6.162507, "o", "\u001b[?1l\u001b>"] +[6.162601, "o", "\u001b[?2004l\r\r\n"] +[6.163497, "o", "\u001b]2;source aws-auth-utils.sh\u0007\u001b]1;source\u0007"] +[6.168913, "o", "\u001b[1m\u001b[7m%\u001b[27m\u001b[1m\u001b[0m \r \r"] +[6.169127, "o", "\u001b]2;me@my-mac: ~/bin/aws-auth\u0007\u001b]1;~/bin/aws-auth\u0007"] +[6.19627, "o", "\r\u001b[0m\u001b[27m\u001b[24m\u001b[J\u001b[01;32m➜ \u001b[36maws-auth\u001b[00m \u001b[01;34mgit:(\u001b[31mmaster\u001b[34m)\u001b[00m \u001b[K"] +[6.196416, "o", "\u001b[?1h\u001b=\u001b[?2004h"] +[7.530258, "o", "a"] +[7.722898, "o", "\baw"] +[7.938618, "o", "s"] +[8.050541, "o", "-"] +[8.243516, "o", "a"] +[8.372302, "o", "u"] +[8.621124, "o", "th-"] +[9.20075, "o", "m"] +[9.331349, "o", "f"] +[9.509701, "o", "a-"] +[10.015461, "o", "l"] +[10.21972, "o", "o"] +[10.356133, "o", "gin\u001b[1m \u001b[0m"] +[10.696664, "o", "\b\u001b[0m m"] +[10.889056, "o", "e"] +[11.486423, "o", " "] +[15.69128, "o", "\u001b[7m123456\u001b[27m"] +[16.3137, "o", "\b\b\b\b\b\b\u001b[27m2\u001b[27m0\u001b[27m0\u001b[27m3\u001b[27m2\u001b[27m5\u001b[?1l\u001b>"] +[16.313772, "o", "\u001b[?2004l\r\r\n"] +[16.314552, "o", "\u001b]2;aws-auth-mfa-login me 123456\u0007\u001b]1;aws-auth-mfa-login\u0007"] +[19.534269, "o", "MFA session valid until 2019-08-24T09:19:49Z\r\n"] +[19.53443, "o", "\u001b[1m\u001b[7m%\u001b[27m\u001b[1m\u001b[0m \r \r\u001b]2;me@my-mac: ~/bin/aws-auth\u0007\u001b]1;~/bin/aws-auth\u0007"] +[19.560529, "o", "\r\u001b[0m\u001b[27m\u001b[24m\u001b[J\u001b[01;32m➜ \u001b[36maws-auth\u001b[00m \u001b[01;34mgit:(\u001b[31mmaster\u001b[34m)\u001b[00m \u001b[K"] +[19.560576, "o", "\u001b[?1h\u001b=\u001b[?2004h"] +[24.756804, "o", "\u001b[7maws sts get-caller-identity --profile beerfest\u001b[27m"] +[25.130629, "o", "\u001b[46D\u001b[27ma\u001b[27mw\u001b[27ms\u001b[27m \u001b[27ms\u001b[27mt\u001b[27ms\u001b[27m \u001b[27mg\u001b[27me\u001b[27mt\u001b[27m-\u001b[27mc\u001b[27ma\u001b[27ml\u001b[27ml\u001b[27me\u001b[27mr\u001b[27m-\u001b[27mi\u001b[27md\u001b[27me\u001b[27mn\u001b[27mt\u001b[27mi\u001b[27mt\u001b[27my\u001b[27m \u001b[27m-\u001b[27m-\u001b[27mp\u001b[27mr\u001b[27mo\u001b[27mf\u001b[27mi\u001b[27ml\u001b[27me\u001b[27m \u001b[27mb\u001b[27me\u001b[27me\u001b[27mr\u001b[27mf\u001b[27me\u001b[27ms\u001b[27mt\u001b[?1l\u001b>"] +[25.130699, "o", "\u001b[?2004l\r\r\n"] +[25.131563, "o", "\u001b]2;aws sts get-caller-identity --profile beerfest\u0007\u001b]1;aws\u0007"] +[26.306176, "o", "{\r\n \"UserId\": \"my-session\",\r\n \"Account\": \"123456789\",\r\n \"Arn\": \"arn:aws:sts::1234567890:assumed-role/role\"\r\n}\r\n"] +[26.347835, "o", "\u001b[1m\u001b[7m%\u001b[27m\u001b[1m\u001b[0m \r \r"] +[26.34789, "o", "\u001b]2;me@my-mac: ~/bin/aws-auth\u0007"] +[26.348022, "o", "\u001b]1;~/bin/aws-auth\u0007"] +[26.374704, "o", "\r\u001b[0m\u001b[27m\u001b[24m\u001b[J\u001b[01;32m➜ \u001b[36maws-auth\u001b[00m \u001b[01;34mgit:(\u001b[31mmaster\u001b[34m)\u001b[00m \u001b[K"] +[26.374757, "o", "\u001b[?1h\u001b="] +[26.374813, "o", "\u001b[?2004h"] +[27.540048, "o", "\u001b[?2004l\r\r\n"] diff --git a/static/2019/08/27/aws-secrets/awsmfa.json~ b/static/2019/08/27/aws-secrets/awsmfa.json~ new file mode 100644 index 00000000..b8cdd890 --- /dev/null +++ b/static/2019/08/27/aws-secrets/awsmfa.json~ @@ -0,0 +1,62 @@ +{"version": 2, "width": 169, "height": 25, "timestamp": 1566595170, "env": {"SHELL": "/bin/zsh", "TERM": "xterm-256color"}} +[0.695607, "o", "\u001b[1m\u001b[7m%\u001b[27m\u001b[1m\u001b[0m \r \r\u001b]2;me@my-mac: ~/bin/aws-auth\u0007\u001b]1;~/bin/aws-auth\u0007"] +[0.723956, "o", "\r\u001b[0m\u001b[27m\u001b[24m\u001b[J\u001b[01;32m➜ \u001b[36maws-auth\u001b[00m \u001b[01;34mgit:(\u001b[31mmaster\u001b[34m)\u001b[00m \u001b[K"] +[0.724222, "o", "\u001b[?1h\u001b=\u001b[?2004h"] +[1.983502, "o", "s"] +[2.212715, "o", "\bso"] +[2.352635, "o", "u"] +[2.44455, "o", "r"] +[2.621648, "o", "ce\u001b[1m \u001b[0m"] +[4.023265, "o", "\b\u001b[0m a"] +[4.333503, "o", "w"] +[4.555857, "o", "s"] +[4.6976, "o", "-"] +[4.890894, "o", "a"] +[5.00715, "o", "u"] +[5.229269, "o", "th-utils.sh\u001b[1m \u001b[0m"] +[6.162436, "o", "\b\u001b[0m \b"] +[6.162507, "o", "\u001b[?1l\u001b>"] +[6.162601, "o", "\u001b[?2004l\r\r\n"] +[6.163497, "o", "\u001b]2;source aws-auth-utils.sh\u0007\u001b]1;source\u0007"] +[6.168913, "o", "\u001b[1m\u001b[7m%\u001b[27m\u001b[1m\u001b[0m \r \r"] +[6.169127, "o", "\u001b]2;me@my-mac: ~/bin/aws-auth\u0007\u001b]1;~/bin/aws-auth\u0007"] +[6.19627, "o", "\r\u001b[0m\u001b[27m\u001b[24m\u001b[J\u001b[01;32m➜ \u001b[36maws-auth\u001b[00m \u001b[01;34mgit:(\u001b[31mmaster\u001b[34m)\u001b[00m \u001b[K"] +[6.196416, "o", "\u001b[?1h\u001b=\u001b[?2004h"] +[7.530258, "o", "a"] +[7.722898, "o", "\baw"] +[7.938618, "o", "s"] +[8.050541, "o", "-"] +[8.243516, "o", "a"] +[8.372302, "o", "u"] +[8.621124, "o", "th-"] +[9.20075, "o", "m"] +[9.331349, "o", "f"] +[9.509701, "o", "a-"] +[10.015461, "o", "l"] +[10.21972, "o", "o"] +[10.356133, "o", "gin\u001b[1m \u001b[0m"] +[10.696664, "o", "\b\u001b[0m n"] +[10.889056, "o", "i"] +[11.043396, "o", "e"] +[11.176988, "o", "k"] +[11.486423, "o", " "] +[15.69128, "o", "\u001b[7m200325\u001b[27m"] +[16.3137, "o", "\b\b\b\b\b\b\u001b[27m2\u001b[27m0\u001b[27m0\u001b[27m3\u001b[27m2\u001b[27m5\u001b[?1l\u001b>"] +[16.313772, "o", "\u001b[?2004l\r\r\n"] +[16.314552, "o", "\u001b]2;aws-auth-mfa-login me 123456\u0007\u001b]1;aws-auth-mfa-login\u0007"] +[19.534269, "o", "MFA session valid until 2019-08-24T09:19:49Z\r\n"] +[19.53443, "o", "\u001b[1m\u001b[7m%\u001b[27m\u001b[1m\u001b[0m \r \r\u001b]2;me@my-mac: ~/bin/aws-auth\u0007\u001b]1;~/bin/aws-auth\u0007"] +[19.560529, "o", "\r\u001b[0m\u001b[27m\u001b[24m\u001b[J\u001b[01;32m➜ \u001b[36maws-auth\u001b[00m \u001b[01;34mgit:(\u001b[31mmaster\u001b[34m)\u001b[00m \u001b[K"] +[19.560576, "o", "\u001b[?1h\u001b=\u001b[?2004h"] +[24.756804, "o", "\u001b[7maws sts get-caller-identity --profile beerfest\u001b[27m"] +[25.130629, "o", "\u001b[46D\u001b[27ma\u001b[27mw\u001b[27ms\u001b[27m \u001b[27ms\u001b[27mt\u001b[27ms\u001b[27m \u001b[27mg\u001b[27me\u001b[27mt\u001b[27m-\u001b[27mc\u001b[27ma\u001b[27ml\u001b[27ml\u001b[27me\u001b[27mr\u001b[27m-\u001b[27mi\u001b[27md\u001b[27me\u001b[27mn\u001b[27mt\u001b[27mi\u001b[27mt\u001b[27my\u001b[27m \u001b[27m-\u001b[27m-\u001b[27mp\u001b[27mr\u001b[27mo\u001b[27mf\u001b[27mi\u001b[27ml\u001b[27me\u001b[27m \u001b[27mb\u001b[27me\u001b[27me\u001b[27mr\u001b[27mf\u001b[27me\u001b[27ms\u001b[27mt\u001b[?1l\u001b>"] +[25.130699, "o", "\u001b[?2004l\r\r\n"] +[25.131563, "o", "\u001b]2;aws sts get-caller-identity --profile beerfest\u0007\u001b]1;aws\u0007"] +[26.306176, "o", "{\r\n \"UserId\": \"my-session\",\r\n \"Account\": \"123456789\",\r\n \"Arn\": \"arn:aws:sts::1234567890:assumed-role/role\"\r\n}\r\n"] +[26.347835, "o", "\u001b[1m\u001b[7m%\u001b[27m\u001b[1m\u001b[0m \r \r"] +[26.34789, "o", "\u001b]2;me@my-mac: ~/bin/aws-auth\u0007"] +[26.348022, "o", "\u001b]1;~/bin/aws-auth\u0007"] +[26.374704, "o", "\r\u001b[0m\u001b[27m\u001b[24m\u001b[J\u001b[01;32m➜ \u001b[36maws-auth\u001b[00m \u001b[01;34mgit:(\u001b[31mmaster\u001b[34m)\u001b[00m \u001b[K"] +[26.374757, "o", "\u001b[?1h\u001b="] +[26.374813, "o", "\u001b[?2004h"] +[27.540048, "o", "\u001b[?2004l\r\r\n"] diff --git a/static/2019/08/27/aws-secrets/out.json b/static/2019/08/27/aws-secrets/out.json new file mode 100644 index 00000000..2e6ee3b3 --- /dev/null +++ b/static/2019/08/27/aws-secrets/out.json @@ -0,0 +1,20 @@ +{"version": 2, "width": 169, "height": 25, "timestamp": 1566594346, "env": {"SHELL": "/bin/zsh", "TERM": "xterm-256color"}} +[0.700126, "o", "/Users/niek/.zshrc:export:121: not valid in this context: PATH+\r\n"] +[0.701733, "o", "\u001b[1m\u001b[7m%\u001b[27m\u001b[1m\u001b[0m \r \r"] +[0.701869, "o", "\u001b]2;niek@Nieks-MacBook-Pro: ~/bin/aws-auth\u0007\u001b]1;~/bin/aws-auth\u0007"] +[0.726699, "o", "\r\u001b[0m\u001b[27m\u001b[24m\u001b[J\u001b[01;31m➜ \u001b[36maws-auth\u001b[00m \u001b[01;34mgit:(\u001b[31mmaster\u001b[34m)\u001b[00m \u001b[K"] +[0.726846, "o", "\u001b[?1h\u001b=\u001b[?2004h"] +[3.366686, "o", "h"] +[3.481043, "o", "\bhe"] +[3.646914, "o", "l"] +[3.853101, "o", "l"] +[4.007436, "o", "o"] +[4.337552, "o", "\u001b[?1l\u001b>\u001b[?2004l\r\r\n"] +[4.338454, "o", "\u001b]2;hello\u0007\u001b]1;hello\u0007"] +[4.340306, "o", "zsh: command not found: hello\r\n"] +[4.340674, "o", "\u001b[1m\u001b[7m%\u001b[27m\u001b[1m\u001b[0m \r \r"] +[4.340839, "o", "\u001b]2;niek@Nieks-MacBook-Pro: ~/bin/aws-auth\u0007"] +[4.341012, "o", "\u001b]1;~/bin/aws-auth\u0007"] +[4.371274, "o", "\r\u001b[0m\u001b[27m\u001b[24m\u001b[J\u001b[01;31m➜ \u001b[36maws-auth\u001b[00m \u001b[01;34mgit:(\u001b[31mmaster\u001b[34m)\u001b[00m \u001b[K"] +[4.371465, "o", "\u001b[?1h\u001b=\u001b[?2004h"] +[7.102205, "o", "\u001b[?2004l\r\r\n"]