3. 3
What’s credstash?
A distributed secret management system
Built on top of AWS
Use KMS to hold master key(s)
Use DynamoDB for secret store
Use IAM policies for access control
Use IAM EC2 roles for EC2 instance identity
Operations are available via CLI, Python library, Puppet, Ansible modules
4. 4
Why is credstash chosen?
Satisfy basic requirements for a secret management
Lightweight Python tool
Very simple, easy to use
Cloud based solution
No infrastructure (zero-server) for management
High availability, fault tolerance
Auto scaling already implemented
The cost is cheap
5. 5
How does credstash work?
When a secret is added to credstash:
1. A new random encryption key is generated using KMS
2. The secret is encrypted with that key
3. Encryption key is itself encrypted with the KMS master key, and its plaintext is
discarded
4. The encrypted data and the encrypted data of encryption key are stored in
DynamoDB
6. 6
How does credstash work? (cont.)
When a secret is retrieved:
1. Pull out the data from DynamoDB
2. Decrypt the encryption key using KMS API and the KMS master key
3. Decrypt the actual secret using the decrypted key