Secrets

Secrets Management is leveraged in torero via writing encrypted data into its backend store. We leverage asymmetrical encryption with a zero trust of the server/torero. torero encrypts the secrets with an encryption-file that must be created and utilized for encryption and decryption.

Encryption with torero

Data is encrypted using AES in GCM. The key for AES is generated by PBKDF2 from a provided encryption file and a random salt, which makes each secret stored distinct, even if they are using the same encryption file. The salt and encrypted data are stored in the store as a base64 encoded string.

Creating A Secret

Creating a secret is easy and simple. For a secret to be encrypted and decrypted you will need to have a private key that only you and those torero instances that need to perform a decrypt of the secret.

Generating a private key can be done with the openssl package as follows:

>_ openssl rand -base64 256 > /somedir/my_private.key

Inspecting the key would result in the following item:

>_ cat /somedir/my_private.key
UM/mOfv5iQqF6Cp1u8k+0MFVTq44NIPQii1wkTgacS1GnOGiI4iBMFeFJSJQT80A
Lso1VmL0wr3MqG9wgvov32y5Oddjay9j5RqMIbQpJuJDJtrodzWi+6B+yo0NBoHz
sgfLr6oL16oFrwSRq+ZSELJLr/aL9V9fdMluHYCGOHJrQtxojoQX41kF7OS6dSNk
BbCRKKJrpJtOmZY1nz7CLcGWxA80PDdjGwozdN/vwxo84Ohpl6/R7pDVZOIXfbyh
xMibYbvLM01A2/eJ72PU4zfiWRdiovnmLlsifMnDwobs0WHY5lAgGpdENs6v577e
YK2U8HlKOWczjPsXjK7RBA==
To ensure security we will then run chmod 400 /somedir/my_private.key

It is important to keep this key somewhere safe and secure as if it is lost any data encrypted with it will be lost.

Once our key is generated we have a couple of ways to tell torero to use this as our key for encrypt/decrypt. The easiest is placing the following in one of the two items:

torero Config

[secrets]
encrypt_key_file = "/somedir/my_private.key"

Environment Variable

>_ export TORERO_SECRETS_ENCRYPT_KEY_FILE="/somedir/my_private.key"

Once the key is set in torero, we can begin to create and get secrets.

There will be many use cases for secrets, but we will focus on the main use case of using the secret store to store our git SSH keys that will need to be used for git repositories.

Create A Key For A Repository

Generate SSH Key

Use SSH Keygen to generate a key specifically for usage with torero. 

>_ ssh-keygen                                                                              
Generating public/private ed25519 key pair.
Enter file in which to save the key (/Users/jared/.ssh/id_ed25519): ./torero
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in ./torero
Your public key has been saved in ./torero.pub
The key fingerprint is:
SHA256:CqPZH763k3ktyGB5JcGH1j97CQzr2bg3h6I0Vm4j4+Q [email protected]
The key's randomart image is:
+--[ED25519 256]--+
|       . o       |
|        = +      |
|       . o =     |
|        . o =    |
|    o  .S+.+ + . |
|   + o+..o+ o o  |
|  o ..o+B++o o   |
|     o BB==.= .  |
|      +oE= + o   |
+----[SHA256]-----+

In the output you can see that the private and public ssh key is generated in our folder.

>_ ls | grep tor                                                                        
torero
torero.pub

The file content from torero.pub will need to be placed in gitlab as a new Authentication key. This key is the public. The other key which is torero is our private key that we will use later to add to our secret store.

If you are using a repository with an ssh key then you can simply add the private ssh key to torero's secret store. Going into to Gitlab SSH Settings we can see all the keys that are listed.

img.png

Adding Private Key To Secret Store

Now that our public key is in gitlab we will now need to add our private key, so we can use it in torero. This is as simple as running the following command where the private key is:

>_ torero create secret git-key --value "@/path/to/new/ssh/key/for/torero"
Successfully created secret
Name:   git-key
In the command above we leveraged the @ symbol to state that this is a file and with the full path to the private key which in our case was the torero file created in our openssl command.

For demonstration purposes we can view the contents of our secret now. To keep things secure, the secret will be displayed in your default editor when viewing on the commandline. The reason for this is due to that since you hold the file needed for decryption the secret will be clear text. If an editor is not set you can export editor as follows.

export EDITOR=nano

If an editor is not set it will use vim by default. 

>_ torero describe secret git-key

After running the command a new window is displayed with our secret. Once the window is closed the file is deleted. This is useful for viewing the secret for troubleshooting.

img.png

The name of our secret can now be passed into any of our repos that we create. This will allow a secure clone of the repo when a service is ran.

Adding Key to A repo

When creating a repository you can pass in the secret key as follows:

>_ torero create repository some-private-repo --url [email protected]:example/automations/example-automations.git --reference devel --description "For basic demo capabilities" --tag demo --tag itential --private-key-name git-key
Successfully created the repository

Name:             some-private-repo
Description:      For basic demo capabilities
Url:              [email protected]:example/automations/example-automations.git
Reference:        devel
Tags:             demo, itential
Private Key Name: git-key