#encryption
3 posts

Production secret management at Airbnb

Airbnb built an internal tool Bagpiper which is a collection of tools and framework components that it uses for the management of production secret assets. They designed it to decouple secret management from other app configurations as Airbnb scaled, and to ensure a least-privileged access pattern
Read more

Production secret management at Airbnb

  • Airbnb built an internal tool Bagpiper which is a collection of tools and framework components that it uses for the management of production secret assets.
  • They designed it to decouple secret management from other app configurations as Airbnb scaled, and to ensure a least-privileged access pattern, encryption of secrets at rest, support for applications across several languages and environments, and managing secrets for periodic rotation.
  • Bagpiper creates segmented access by asymmetrically encrypting secrets with service-specific keys: a secret is encrypted with each of the public keys on a per-secret keychain, and only services with the corresponding private keys can decrypt the secret. It encrypts information at rest and decrypts it during use.
  • Engineers can add, remove and rotate secrets, and make them available to select production systems. Secrets and changes to code are typically deployed together.
  • Secrets are rotated continuously, using secret annotations that specify when a secret was created/last rotated and when to rotate it again.

Full post here, 6 mins read

How not to store passwords

One of the good options for storing passwords is key derivation functions. They require more compute time to get cracked which means an attacker needs to spend more money to crack them.
Read more

How not to store passwords

  • It can’t be said enough - do not save passwords in plain text.
  • Encryption is only slightly better than plain text. It is not THE answer for sure.
  • Plain hashes are pretty weak too. They are vulnerable because users tend to replicate the same passwords for different websites and they also use very simple passwords making it easy to crack.
  • Salted hashes are much better at protecting passwords. But the speed at which hashes can be calculated by attackers makes brute-force attacks reasonably possible.
  • One of the good options for storing passwords is key derivation functions. They require more compute time to get cracked which means an attacker needs to spend more money to crack them.

Full post here, 7 mins read

The hardest thing about data encryption

The biggest challenge with data encryption is key management i.e - how do you safely store secret keys for either symmetric or asymmetric cryptosystem.
Read more

The hardest thing about data encryption

  • The biggest challenge with data encryption is key management i.e - how do you safely store secret keys for either symmetric or asymmetric cryptosystem.
  • Symmetric encryption uses a secret key to encrypt data and uses the same key to decrypt this data when needed. Asymmetric encryption works with a multi-key system.
  • Handle key management by sticking to best practices & outsourcing the underlying cryptography as much as possible.
  • Amazon KMS is a good option if you need to safely encrypt data symmetrically. For asymmetric encryption, consult a cryptography expert.

Full post here, 6 mins read