Introducing Secretshare: Ensuring Your Information is Secure
by Alex Wauck, on June 7, 2016
There's a problem that everyone from developers to accountants keeps running into. You need to send some sensitive data (passwords, financial spreadsheets, etc.) to somebody. How do you do it? Email? HipChat? Slack? A USB stick? All of these have drawbacks. With email or instant messaging, the sensitive data may be stored somewhere out on the Internet indefinitely. Are you sure Atlassian or Slack will never, ever get hacked? All of these have drawbacks. With a USB stick, you have to make sure to wipe the stick securely once you're done, lest you drop it somewhere and somebody with too much time on his or her hands and a penchant for mischief picks it up. Sure, you could use GPG, but try getting somebody who has never used GPG before to set it up and use it correctly, especially if their only email account is webmail.
After running into this problem over and over again, we finally got fed up enough to do something about it. What we came up with is secretshare. It's a command-line tool and server that let you upload sensitive files (protected with randomly-generated AES keys) to amazon S3 and then download and decrypt them without leaving traces that adversaries can use to obtain the data.
Why it's secure
- Each time you upload a file, secretshare generates a new encryption/decryption key. Even if one key is compromised, an attacker cannot decrypt anything else you've sent or received.
- The file is automatically deleted from the cloud after 24-48 hours. If the key is compromised (e.g. by somebody seeing the HipChat message over your shoulder), it's only useful to the attacker during that time.
- No sensitive data is stored unencrypted anywhere outside of your computer. The server and S3 never see the AES key, so they can't decrypt the data. The only sensitive data that gets transmitted (the AES key) becomes useless after a relatively short period of time.
Why it's convenient
- You don't need to generate a keypair or keep a private key secret.
- You can hand out the client and the connection details to an external contractor, client, or customer and transmit sensitive data to them without compromising your other sensitive data.
- Installation and configuration are simple: just copy a binary and run one command.
Suppose you are an IT person. Bob, the "technical enough to use a command line tool but not technical enough to use GPG correctly" CFO needs to access to a new cloud service account for billing reasons. You need to send him some login credentials. So, you put the credentials in
bobs_login_credentials.txt. Now, you run
$ secretshare send bobs_login_credentials.txt
To receive this secret:
secretshare receive JOlFukTBXDlsdS8P+8ETA_z25hU5Ou4bOvXpJQFV0Wc
You open up HipChat and send the command from the output to Bob. Bob then runs
$ secretshare receive JOlFukTBXDlsdS8P+8ETA_z25hU5Ou4bOvXpJQFV0Wc
File saved as bobs_login_credentials.txt
Bob now has a file called bobs_login_credentials.txt, which contains the credentials you generated for him.
The next week, Bob happens to have his HipChat window open when he plugs his laptop into a project, and the intern Dastardly Dave (he only got hired because HR said we shouldn't judge people by their names) sees it. He immediately types the command he saw. Since the data has already been deleted from S3, he gets nothing. Disappointed by your organization's devotion to data security, he does not seek employment with you after graduation, instead seeking a dark corner of Wall Street to inhabit. Dave soon ends up in jail for insider trading.
Your company, on the other hand, leverages the synergies of the cloud service, combined with Bob's financial core competencies, to spend your time-to-market, making millions in profits. After the company goes public, you use your modest bonus to pay off the last of your student loans. You are now debt-free, thanks to secretshare.
Installation instructions are available at https://github.com/waucka/secretshare. We (Dan Slimmon in particular) have done a lot of work to make it easy to configure and deploy. We've also tried to make it easy to work on the test. Contributions are welcome.