Originally posted on Medium: https://medium.com/@adamhathcock/keeping-secrets-safe-with-asp-net-core-and-credstash-b6e268176791
I primarily use Amazon Web Services and .NET Core. Most .NET users tend to look to Azure by default because of Microsoft support. However, I strongly prefer AWS. All information here deals with .NET Core and AWS.
Keeping secrets secure seems to be a pretty hard problem. The best thing with the biggest mindshare behind it seems to be Hashicorp Vault but it’s an application with more infrastructure to setup just to get it working.
I really hate having to run 3rd party applications in my own cloud applications. I only do it when I’m forced to. Basically, only when Amazon doesn’t have a matching service or the AWS service isn’t fit for purpose.
However, they do: the Key Management Service. I’m not going to get into detail about it but it’s not suitable by itself.
Fortunately, someone else already did some leg work to use KMS: enter Credstash
You can read about Credstash on the github site but basically it’s a command line utility to add and retrieve secrets. It’s python based and perfectly good for doing the admin of secrets. However, I want to use it with my .NET Core applications.
Credstash uses KMS to protect keys and DynamoDB to store encrypted values.
Credstash vs Hashicorp Vault
Vault is really neat and they do some cool things (dynamic secret generation, key-splitting to protect master keys, etc.), but there are still some reasons why you might pick credstash over vault:
- Nothing to run. If you want to run vault, you need to run the secret storage backend (consul or some other datastore), you need to run the vault server itself, etc. With credstash, there’s nothing to run. all of the data and key storage is handled by AWS services
- lower cost for a small number of secrets. If you just need to store a small handful of secrets, you can easilly fit the credstash DDB table in the free tier, and pay ~$1 per month for KMS. So you get good secret management for about a buck a month.
- Simple operations. Similar to “nothing to run”, you dont need to worry about getting a quorum of admins together to unseal your master keys, dont need to worry about monitoring, runbooks for when the secret service goes down, etc. It does expose you to risk of AWS outages, but if you’re running on AWS, you have that anyway
That said, if you want to do master key splitting, are not running on AWS, care about things like dynamic secret generation, have a trust boundary that’s smaller than an instance, or want to use something other than AWS creds for AuthN/AuthZ, then vault may be a better choice for you.
I created an ASP.NET Core configuration compatible reader for Credstash. It’s fairly simple and so far is working well.
Find it on NuGet and use it like so:
AWSCredentials creds = new StoredProfileAWSCredentials();
creds = new InstanceProfileAWSCredentials();
EncryptionContext = new Dictionary<string, string>()
Region = RegionEndpoint.EUWest1,
Credentials = creds
There’s probably more there than you need but I need it.
For AWS Creds, I use locally stored creds in my profile for development. I call this environment alpha so don’t sweat that. On an instance, I want to use IAM profile based permissions. Usage of this is on the credstash page.
KMS has a concept of EncryptionContexts that are basically just key/value pairs that need to match in order for the decryption of secrets to be successful. I use the environment name as an extra value to segment secrets by.
I can finally have something secure without having values hardcoded in a repo somewhere. KMS has an audit trail and Credstash uses an immutable value system to version secrets so that old values are still there.
It’s cheap, easy to setup and works with C# now. Everything I need.