Secrets Groups can be backed up to encrypted files.

The default store is AWS DynamoDB, but files can also be used.

In most cases you can use your existing config with Strongbox.

Strongbox supports the normal ways of specifying credentials and configuration including ~/.aws/credentials , ~/.aws/config , environment variables, and MFA support.

Secrets and most of its metadata is encrypted using the AWS Encryption SDK and AWS KMS.

Grant read-only or admin access to a group of secrets for individual roles, users, or groups.

Strongbox will allocate and configure the required AWS resources for you: a DynamoDB table, a KMS key and IAM policies. Strongbox itself is a client side library, so there are no services to maintain.

Strongbox is a secret manager for AWS. Manage and access secrets via the GUI, CLI or Java SDK.

1: Assuming Key/Value or Cubbyhole Secret Backends. 2: TTL is about telling the client how often they should refresh, not when the secret value itself expires. 3: Only the metadata that is needed for fast filtering is exposed, e.g. name, version, notBefore, notAfter, and state (enabled, disabled, compromised). All other data is padded and encrypted, including: comment, created/modified timestamps, and up to 50kB of user data. The integrity of the data that is not encrypted is protected against tampering via the encryption context of the data that is encrypted.

Usage

Install

Please note that Strongbox requires Java/JavaFX 8 (we have some issues with Java 9).

Prerequisite : ~/.aws/credentials needs to be configured, e.g. by installing the AWS CLI and running aws configure

: needs to be configured, e.g. by installing the AWS CLI and running For details and troubleshooting please refer to the Wiki.

Prerequisite: Java/JavaFX Add the Strongbox tap: brew tap schibsted/homebrew-strongbox https://github.com/schibsted/homebrew-strongbox.git Install strongbox: brew install strongbox Install strongbox-release package, which will add Strongbox repository configuration files and GPG keys: yum install https://github.com/schibsted/strongbox/raw/repos/strongbox-release-1-1.noarch.rpm Install strongbox-cli: yum install strongbox-cli Download and install strongbox-release package, which ships Strongbox repository configuration files and GPG keys: wget -O /tmp/strongbox-release_1-1_all.deb https://github.com/schibsted/strongbox/raw/repos/strongbox-release_1-1_all.deb && dpkg -i /tmp/strongbox-release_1-1_all.deb Install strongbox-cli: apt-get update && apt-get install strongbox-cli Add jcenter to you repositories: repositories { jcenter() } Add strongbox-sdk to you dependencies compile 'com.schibsted.security:strongbox-sdk:0.2.21'





Create a Secrets Group

A Secrets Group is a collection of secrets that are managed together. When you create a Secrets Group, Strongbox will allocate a DynamoDB table, a KMS Encryption Key, and two IAM Policies: one for read-only access to the Secrets Group, and one for admin access.

The KMS key will be used for envelope encryption using the AWS Encryption SDK. DynamoDB will store all the data, most of which is encrypted. The IAM policies will limit the access to the DynamoDB table and the KMS key as appropriate for the respective access level.

You can omit --region <region> if you have specified a region in ~/.aws/config . You can specify an AWS profile using --profile <profile> , otherwise the default profile will be used. Assume role and MFA config can also be specified in ~/.aws/config .

Launch via the CLI: strongbox --region eu-west-1 gui strongbox --region eu-west-1 group create team.project SecretsGroupManager sgm = new DefaultSecretsGroupManager(); sgm.create(new SecretsGroupIdentifier(Region.EU_WEST_1, "team.project"));

Create a Secret

You can create a secret from an existing value, from a file or by generating one using KMS. When you create a secret it will be encrypted using the KMS Encryption SDK and stored in DynamoDB.

The following command will prompt you to enter the secret. You can also pipe or redirect into the same command. strongbox --region eu-west-1 secret create --group team.project --name MySecret --value-from-stdin SecretsGroupManager sgm = new DefaultSecretsGroupManager(); SecretsGroup sg = sgm.get(new SecretsGroupIdentifier(Region.EU_WEST_1, "team.project")); sg.create(new NewSecretEntry(new SecretIdentifier("MySecret"), new SecretValue("1234", SecretType.OPAQUE), State.ENABLED));

Grant Read-only Access to a Secrets Group

Read-only access is provided on a per Secrets Group basis. To help avoid misconfiguration Strongbox generates a suitable read-only policy for you. Access is granted by attaching to this policy, either using one of AWS' methods of doing so, or by using Strongbox as shown below.

strongbox --region eu-west-1 group attach-readonly --group team.project --type role my-role SecretsGroupManager sgm = new DefaultSecretsGroupManager(); SecretsGroupIdentifier group = new SecretsGroupIdentifier(Region.EU_WEST_1, "team.project"); Principal principal = new Principal(PrincipalType.ROLE, "my-role"); sgm.attachReadOnly(group, principal);

Fetch a Secret

Secrets are read from DynamoDB and then decrypted using the AWS Encryption SDK. In addition to the examples below there are also integrations with Spring Boot and Archaius.