aws 怎么将密钥转密码_将加密密钥存储在AWS Secrets Manager中

aws 怎么将密钥转密码

“The only secrets are the secrets that keep themselves”- George Bernard Shaw

“唯一的秘密就是保持自我的秘密”-乔治·伯纳德·肖

Leveraging a service like AWS Secrets Manager, to outsource secured storage and life-cycle management of secrets (like passwords, API keys, tokens, encryption keys, etc.) is becoming quite commonplace. Essentially, this practice keeps the application code clean and devoid of any sensitive information that might get leaked otherwise. The idea is to either use DevOps pipeline to fetch secrets and inject them at the time of deployment (primarily as environment variables) or use AWS SDK to retrieve secrets during application runtime and use them.

利用诸如AWS Secrets Manager之类的服务来外包安全存储和密钥的生命周期管理(例如密码，API密钥，令牌，加密密钥等)已变得司空见惯。 本质上，这种做法可以使应用程序代码保持整洁，并且不包含任何其他可能泄露的敏感信息。 这个想法是使用DevOps管道来获取机密并在部署时注入它们(主要是作为环境变量)，或者使用AWS开发工具包在应用程序运行时检索机密并使用它们。

Normally, creation and retrieval of sensitive values from Secrets Manager is pretty straightforward. AWS has done a really good job in creating multiple ways to do so- AWS console, SDK, CLI & REST APIs. However, when it comes to storing/retrieving encryption keys (symmetric or asymmetric), one has to be a tad careful.

通常，从Secrets Manager创建和检索敏感值非常简单。 AWS在创建多种实现方法方面做得非常好-AWS控制台，SDK，CLI和REST API。 但是，在存储/检索加密密钥(对称或非对称)时，一定要格外小心。

For instance, a very common error (in Node.js applications) resulting due to an incorrectly stored PEM encoded encryption key in AWS Secrets Manager, is shown below. Any character translation corrupts the key and following error is directly thrown from PEM libraries when we attempt to use the incorrectly stored key in a scenario like mutual TLS authentication (mTLS) or otherwise.

例如，下面显示了由于在AWS Secrets Manager中错误地存储了PEM编码的加密密钥而导致的一个非常常见的错误(在Node.js应用程序中)。 当我们尝试在相互TLS身份验证(mTLS)或其他情况下使用错误存储的密钥时，任何字符转换都会破坏密钥，并且直接从PEM库抛出以下错误。

{ 
   “library”: “PEM routines”, 
   “function”: “get_name”, 
   “reason”: “no start line”, 
   “code”: “ERR_OSSL_PEM_NO_START_LINE”
}

In essence, encryption key files should be treated as sacrosanct. Hence we have to resort to other methods of creating and accessing these encryption keys as a best practice.

本质上，加密密钥文件应视为神圣不可侵犯。 因此，作为最佳实践，我们必须求助于创建和访问这些加密密钥的其他方法。

使用base64编码 (Use base64 encoding)

For encryption keys, we’d like to avoid any character translation like removal of white spaces or control character or sequence of control characters. A reliable method is to encode the key with ‘base64’. In this following example, we assume that the private key file is named private.key (primarily for lack of imagination on my part 🙂) and it is PEM encoded. We could use a couple of commands to create base64 encoded secret.

对于加密密钥，我们希望避免任何字符转换，例如删除空格或控制字符或控制字符序列。 一种可靠的方法是使用'base64'对密钥进行编码。 在下面的示例中，我们假设私钥文件被命名为private.key(主要是因为我对part缺乏想象力)，并且它是PEM编码的。 我们可以使用几个命令来创建base64编码的密码。

(Note: Here we are assuming that AWS CLI has been installed & configured and a utility like base64 exists, which happens to be the case for Linux distributions)

(注意：这里我们假设已经安装和配置了AWS CLI，并且存在诸如base64之类的实用程序，对于Linux发行版来说就是这种情况。 )

b64key=$(base64 private.key)aws secretsmanager create-secret --name myprivatekey --description "Private key file" --secret-string “$b64key”

The thing to watch for is that, here we are storing the key as a ‘secret-string’ . We could also create the secret as JSON object with multiple keys like private and public key-pair. However both these keys must be base64 encoded independently.

需要注意的是，这里我们将密钥存储为“秘密字符串”。 我们还可以使用多个密钥(如私钥和公钥对)将机密创建为JSON对象。 但是，这两个密钥都必须独立进行base64编码。

{ 
 “key”: “<base64 encoded private key contents>”,
 “cert”: “<base64 encoded certificate file contents>”
}

That way, there are no character loss due to unwanted translations and the values of these keys remain intact during storage-retrieval cycles.

这样，就不会由于不必要的翻译而导致字符丢失，并且在存储检索周期中这些键的值保持不变。

Retrieving a base64 encoded secret

检索base64编码的机密

Retrieval and use of base64 encoded secret using AWS CLI is just a matter of getting hold of the secret and then passing it through a base64 decode cycle.

使用AWS CLI检索和使用base64编码的机密仅是获得机密，然后将其传递到base64解码周期中的问题。

aws secretsmanager get-secret-value --secret-id myprivatekey --query ‘SecretString’ --output text | base64 -decode

Storing and retrieving SecretString using AWS SDK has been well documented by AWS and others. We will not cover the same in this post.

AWS和其他公司已经很好地证明了使用AWS开发工具包存储和检索SecretString 。 我们不会在这篇文章中介绍相同的内容。

Typically in Node.js, the libraries that support usage of encryption keys (say for performing mTLS authentication, etc.) either accept these keys as a string representing a path to a file OR a Buffer. In the code snippet that follows, we are trying to create a Buffer from the private key retrieved from AWS Secrets Manager with the knowledge that it is base64 encoded. At this point, the ‘privateKeyBuffer’ could be used by any library to leverage the encryption key.

通常在Node.js中，支持使用加密密钥(例如，执行mTLS身份验证等)的库会将这些密钥作为表示文件路径或缓冲区的字符串接受。 在下面的代码片段中，我们试图从从AWS Secrets Manager检索到的私钥创建一个缓冲区，并知道该缓冲区是base64编码的。 此时，任何库都可以使用“ privateKeyBuffer ”来利用加密密钥。

var privateKeyBuffer = Buffer.from(privateKey, 'base64');

var privateKeyBuffer = Buffer.from(privateKey，'base64');

使用二进制机密 (Use a binary secret)

Another way to safely store keys is to create binary secrets in AWS Secrets Manager. Unlike JSON based secrets, which can be easily created from AWS console, binary secrets does warrant some special treatment. For one, they cannot be created from AWS console. We will have to leverage either AWS CLI or AWS SDK to create a binary secret in AWS Secrets Manager. The best part is that, binary secrets are transparently encoded with base64 when they are stored in AWS Secrets Manager.

安全存储密钥的另一种方法是在AWS Secrets Manager中创建二进制密钥。 与可以从AWS控制台轻松创建的基于JSON的机密不同，二进制机密确实需要进行特殊处理。 首先，无法从AWS控制台创建它们。 我们将不得不利用AWS CLI或AWS开发工具包在AWS Secrets Manager中创建一个二进制密钥。 最好的部分是，当二进制密钥存储在AWS Secrets Manager中时，它们会使用base64进行透明编码。

Here’s how to use AWS CLI to store a binary secret:

以下是使用AWS CLI存储二进制密钥的方法：

aws secretsmanager create-secret --name "myprivatekey" 
   --description "Private key file" 
   --secret-binary fileb://./private.key

Note that, here we are using ‘secret-binary’ option, instead of ‘secret-string’. Also we are passing a binary file to be stored. Alternatively, we can leverage AWS SDK to store binary secrets. Here is a sample Node.js code snippet that creates a binary secret from a private key.

注意，这里我们使用的是' secret-binary '选项，而不是'secret-string' 。 另外，我们正在传递要存储的二进制文件。 另外，我们可以利用AWS SDK来存储二进制密钥。 这是一个示例Node.js代码片段，可从私钥创建二进制密钥。

const AWS = require('aws-sdk');
const fs  = require('fs');
const REGION_CODE = process.env.REGION_CODE || 'ap-south-1’;var secretsmanager = new AWS.SecretsManager({region: REGION_CODE});
var params = {
    Name: 'myprivatekey’,
    Description: 'Private key file’,
    SecretBinary: fs.readFileSync(’./private.key’);
};
secretsmanager.createSecret(params, function(err, data){
    if(err){
        console.error("Error >> ", err, err.stack);
    }
    else{
        console.log("Data >> ", data);
    }
});

Retrieving a binary secret

检索二进制机密

We will have to issue the following command to retrieve a binary secret using AWS CLI:

我们将必须发出以下命令来使用AWS CLI检索二进制密钥：

aws secretsmanager get-secret-value --secret-id myprivatekey --query 'SecretBinary' --output text --profile sm_user | base64 --decode

Here is a sample function (in Node.js) that retrieves a binary secret from Secrets Manager and returns the corresponding Buffer that contains the private key.

这是一个示例函数(在Node.js中)，该函数从Secrets Manager中检索二进制机密并返回包含私钥的相应Buffer 。

const AWS = require('aws-sdk');
const REGION_CODE = process.env.REGION_CODE || 'ap-south-1’;const fetchKey= async(secretid)=>{
    const SECRET_BINARY = 'SecretBinary';
    let request = new AWS.SecretsManager({region: REGION_CODE})
                              .getSecretValue({SecretId: secretid});
    let secretBinary=null;
    let t1 = new Date().getTime();    await request.promise()
        .then(function(data){
            if(SECRET_BINARY in data){
                secretBinary = Buffer.from(data.SecretBinary); 
                let t2 = new Date().getTime();
                console.log("Keys fetched in "+ (t2-t1) + " msecs");
            }
            else{
                console.error("Expecting binary secret..not found");
                throw Error("Invalid secret- not binary");
            }
        })
        .catch(function(err){
            throw err;
        });
    return secretBinary;
};

结论 (Conclusion)

Encryption keys are sensitive to character translation, hence it’s wise to base64 encode them before storing in AWS Secrets Manager. As such, either explicit base64 encoding/decoding schemes will have to be carried out or these could be stored as binary secrets which are automatically base64 encoded by AWS Secrets Manager.

加密密钥对字符转换敏感，因此明智的做法是在存储在AWS Secrets Manager中之前对它们进行base64编码。 因此，必须执行显式的base64编码/解码方案，或者将其存储为二进制密钥，然后由AWS Secrets Manager自动对base64进行编码。

Binary secrets lack the relative ease of storing more than one encryption key in a structured format like JSON. However, they do provide an easy way to automatically base64 encode the secrets during storage.

二进制秘密缺乏以JSON之类的结构化格式存储多个加密密钥的相对便利性。 但是，它们确实提供了一种在存储过程中自动对秘密进行base64编码的简便方法。

On the other hand, storing secrets as normal secret-string will have to be backed by explicit base64 encoding/decoding cycles, but they provide the versatility of composing logically related sensitive values as a single secret (for example: private and public key-pair), which in turn makes handling of such values easy with minimal remote calls to AWS Secrets Manager.

另一方面，将机密存储为普通机密字符串将必须由显式的base64编码/解码周期来支持，但是它们提供了将逻辑相关的敏感值组成单个机密的多功能性(例如：私钥和公钥对)，从而通过最少的对AWS Secrets Manager的远程调用使处理此类值变得容易。

翻译自: https://medium.com/@adrin.mukherjee/storing-encryption-keys-in-aws-secrets-manager-8b2be87a891e

aws 怎么将密钥转密码