Keysync pulling secret but file contains invalid secret

25 views
Skip to first unread message

Michael

unread,
Jun 11, 2020, 12:30:46 PM6/11/20
to keywhiz-users
Hi,

I have DW Keywhiz up and running with my own certs.

Client is fbi_client

Secret returned from Keywhiz using an http client

{"name":"fbi.key","secret":"YmMK","secretLength":3,"checksum":"830D1B2D061D0E29BB43D820C8C58D80E24102242EFD97A7CCB5DAA8614ABAEF","creationDate":"2020-04-04T10:37:20.000Z","updateDate":"2020-04-04T10:37:20.000Z"}

When I configure Keysync it is pulling my secret into the client folder but the file called fbi.key just contains the text "bc". I was expecting YmMK.

Any ideas on what this could be?


Michael

unread,
Jun 11, 2020, 12:34:29 PM6/11/20
to keywhiz-users
from my logger:

INFO[0000] GET /secrets 200 36.31245ms                   client=fbi_client logger=kwfs_client server_name=luckywolf
INFO[0000] GET /secret/fbi.key 200 12.473551ms           client=fbi_client logger=kwfs_client server_name=luckywolf
INFO[0000] Wrote file                                    client=fbi_client file=fbi.key logger=kwfs_client server_name=luckywolf
INFO[0000] Sync complete                                 Added=1 Changed=0 Deleted=0 server_name=luckywolf

Matthew McPherrin

unread,
Jun 11, 2020, 12:52:44 PM6/11/20
to Michael, keywhiz-users
The API returns secrets base64-encoded, since arbitrary binary cannot be embedded in JSON

YmMK is "bc" when decoded

--
You received this message because you are subscribed to the Google Groups "keywhiz-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keywhiz-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keywhiz-users/18be94af-78ef-4fc1-9278-eeb42a8066f3o%40googlegroups.com.

Michael

unread,
Jun 11, 2020, 1:45:10 PM6/11/20
to keywhiz-users
Thanks make sense. 

Just a question - with regards to keysync caching the keys to disk. I assume my client should first check the disk before hitting the DW server or should that be the other way around.
If the server is down then hit the disk.

I saw some other config variables

backup_key_path: /tmp/keysync-backup.key.wrapped
backup_path: /tmp/keysync-backup.tar.enc
backup_pubkey: 'mHpEJsGAPmANxhlpFEE0DI1eQRTOsdKGvR3oVX6PKUs='

What are these used for?

On Thursday, 11 June 2020 18:52:44 UTC+2, Matthew McPherrin wrote:
The API returns secrets base64-encoded, since arbitrary binary cannot be embedded in JSON

YmMK is "bc" when decoded

On Thu, Jun 11, 2020 at 9:34 AM Michael <mglu...@gmail.com> wrote:
from my logger:

INFO[0000] GET /secrets 200 36.31245ms                   client=fbi_client logger=kwfs_client server_name=luckywolf
INFO[0000] GET /secret/fbi.key 200 12.473551ms           client=fbi_client logger=kwfs_client server_name=luckywolf
INFO[0000] Wrote file                                    client=fbi_client file=fbi.key logger=kwfs_client server_name=luckywolf
INFO[0000] Sync complete                                 Added=1 Changed=0 Deleted=0 server_name=luckywolf


On Thursday, 11 June 2020 18:30:46 UTC+2, Michael wrote:
Hi,

I have DW Keywhiz up and running with my own certs.

Client is fbi_client

Secret returned from Keywhiz using an http client

{"name":"fbi.key","secret":"YmMK","secretLength":3,"checksum":"830D1B2D061D0E29BB43D820C8C58D80E24102242EFD97A7CCB5DAA8614ABAEF","creationDate":"2020-04-04T10:37:20.000Z","updateDate":"2020-04-04T10:37:20.000Z"}

When I configure Keysync it is pulling my secret into the client folder but the file called fbi.key just contains the text "bc". I was expecting YmMK.

Any ideas on what this could be?


--
You received this message because you are subscribed to the Google Groups "keywhiz-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keywhi...@googlegroups.com.

Matthew McPherrin

unread,
Jun 11, 2020, 1:55:03 PM6/11/20
to Michael, keywhiz-users
The intended design is that you run keysync on each application node.  Only keysync talks to the Keywhiz API

Then applications read their secrets out of where kwfs has written secrets as files.

re: backup.  This generates encrypted backups, encrypted to a public key, of your secrets.
The feature is not fully documented yet, as it's a bit experimental.
Consider the case where Keywhiz itself needs secrets to run (for example, to connect to an HSM and DB).
The encrypted backups help solve that chicken/egg problem in the event of all keywhiz servers going down.
Then a key (stored safely somewhere else, perhaps a safe, perhaps another secrets management system, or another keywhiz instance) can be used to restore the backup:  It writes out files the same as keysync would, but from the encrypted bundle instead.

To unsubscribe from this group and stop receiving emails from it, send an email to keywhiz-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keywhiz-users/19be3c9f-e68b-432a-baad-b2325fd8bda0o%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages