Commit 46114a04 authored by Drew's avatar Drew

README

parent 1d765981
Pipeline #76 skipped
FISA: a method for sharing secrets
┏━━━━━━━━━━━━━━┓ ┌──────────┐
┃ ┃ ┌─────│ developer│
┌──────────┐ ┃ FISA ┃ │ └──────────┘
│ developer│─────▶┃ secrets ┃◀─┬──┘
└──────────┘ ┃ ┃ │
┃ ┃ │ ┌─────────────┐
┗━━━━━━━━━━━━━━┛ └──│ build server│
▲ └─────────────┘
┌──────────┐ │
│ developer│───────┘
└──────────┘
A FISA file contains your secrets
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ AWS account: XXXXXXX ┃
┃ Backend token: XXXXXX ┃
┃ Apple certificate: XXXXXX ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛
And is encrypted* with a one-time key
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃┌ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┐ ┃ *crypto_secretbox_xsalsa20poly1305
┃ AWS account: XXXXXXX ┃
┃│ Backend token: XXXXXX │ ┃
┃ Apple certificate: XXXXXX ┃
┃│ │ ┃
┃Encrypted with OTK ─ ─ ─ ─ ─ ─ ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛
The one-time key is encrypted** with everybody's public key **crypto_box_curve25519xsalsa20poly1305
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃┌ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┐ ╔══════════════════════════════════╗ ┃
┃ AWS account: XXXXXXX ║ ┌ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ║ ┃
┃│ Backend token: XXXXXX │ ║ Alice: YYYYYYYYYYYYYYYYYY │ ║ ┃
┃ Apple certificate: XXXXXX ║ ├ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ║ ┃
┃│ │ ║ Bob: ZZZZZZZZZZZZZZZZZZ │ ║ ┃
┃Encrypted with OTK ─ ─ ─ ─ ─ ─ ║ └ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ║ ┃
┃ ║ ║ ┃
┃ OTK lookup table═══════════════════╝ ┃
Actual FISA format━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛
So only the named users have access to the secrets ┌─────────┐
┏━━━━│ Alice │
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╋┓ └─────────┘
┃┌ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┐ ╔══════════════════════════════════╗ ┃┃
┃ AWS account: XXXXXXX ║ ┌ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ║ ┃┃
┃│ Backend token: XXXXXX │ ┏╬━━━━━━━━ YYYYYYYYYYYYYYYYYY │◀━╬━┛┃
┃ Apple certificate: XXXXXX◀━━━━━━━┛║ ├ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ║ ┃
┃│ │ ║ Bob: ZZZZZZZZZZZZZZZZZZ │ ║ ┃
┃Encrypted with OTK ─ ─ ─ ─ ─ ─ ║ └ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ║ ┃
┃ ║ ║ ┃
┃ OTK lookup table═══════════════════╝ ┃
Actual FISA format━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛
To remove a user, simply drop them from the file
$ FISAcli removeIdentity --identityDescription Alice
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃┌ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┐ ╔══════════════════════════════════╗ ┃ ┌─────────┐
┃ AWS account: XXXXXXX ║ !!◀━━━━╬━━╋━━━━━━━━│ Alice │
┃│ Backend token: XXXXXX │ ║ ║ ┃ └─────────┘
┃ Apple certificate: XXXXXX ║ ┌ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ║ ┃
┃│ │ ║ Bob: ZZZZZZZZZZZZZZZZZZ │ ║ ┃
┃Encrypted with OTK ─ ─ ─ ─ ─ ─ ║ └ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ║ ┃
┃ ║ ║ ┃
┃ OTK lookup table═══════════════════╝ ┃
Actual FISA format━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛
FISA is perfect for community projects, open source repositories, or any time that you
need to check secrets into source control.
One unique feature of FISA is that it can be used programmatically, via FISAKit. So
you can access your secrets inside unit tests.
┌──────────────────┐────────────I need S3 secret──────────▶┏━━━━━━━━━━━━━━━━━┓
│ S3 Upload Test │ ┃ ┃ ╔════════════════╗
│ │ ┃ ┃ ║Actual usecase! ║
│ │ ┃ FISA ┃ ╚════════════════╝▒▒
│ │◀──────────────Here you go─────────────┃ ┃ ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒
│ │ ┃ ┃ ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒
│ │ ┃ ┃
Application────────┘ ┗━━━━━━━━━━━━━━━━━┛
\ No newline at end of file
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment