Context

In the context of 12 Factor Apps, it is recommended to store configurations in the environment. However, storing plain credentials directly in the environment is not secure. To overcome this, we need a workaround.

Currently, we are using Secrets Manager to store credentials separately from other configurations. This means that configuring credentials requires extra steps.

What is shush?

shush is a small tool that can be used to encrypt and decrypt secrets, using the AWS Key Management Service(KMS).

Why shush?

One of the advantages of shush is that it supports decrypting environments with the prefix KMS_ENCRYPTED_ and puts the plain credentials in the environment variables. This allows us to store the credentials together with other configurations, making it easier to maintain.

And using shush can eliminates the need to manually manage Secrets Manager.

How to use shush?

CLI

Installation

go get github.com/realestate-com-au/shush

sudo curl -fsSL -o /usr/local/bin/shush \
    "https://github.com/realestate-com-au/shush/releases/download/v1.5.4/shush_$(uname -s | tr '[:upper:]' '[:lower:]')_$(uname -m | sed 's/x86_/amd/' | sed 's/aarch/arm/')" \
 && sudo chmod +x /usr/local/bin/shush

Usage

Encrypt

shush --region ap-southeast-2 encrypt KEY_ID 'this is a plain secret'

Decrypt

shush --region ap-southeast-2 decrypt 'this is a encrypted secret'

Command shim in Docker

Installation

# Include "shush" to decode KMS_ENCRYPTED_STUFF
ARG TARGETARCH
RUN curl -fsSL -o /usr/local/bin/shush \
    https://github.com/realestate-com-au/shush/releases/download/v1.5.4/shush_linux_${TARGETARCH} \
 && chmod +x /usr/local/bin/shush
ENTRYPOINT ["/usr/local/bin/shush", "exec", "--"]

Usage Example

Configuration

add the KMS_ENCRYPTED_DB_PASSWORD environment variable
```
KMS_ENCRYPTED_DB_PASSWORD="encrypted password"
```

Runtime

shush will find KMS_ENCRYPTED_DB_PASSWORD in the environment
shush will decrypt the content.
shush will put the result in a new environment variable DB_PASSWORD. The environment will now be:
```
 KMS_ENCRYPTED_DB_PASSWORD="encrypted password"
 DB_PASSWORD="plain password"
```
start the application

Summary

Compared to using Secrets Manager, shush allows us to centralize the application’s configuration and minimize manual work.

Twitter Facebook LinkedIn

shush: an alternative for Secrets Manager

Context

What is shush?

Why shush?

How to use shush?

CLI

Installation

Usage

Encrypt

Decrypt

Command shim in Docker

Installation

Usage Example

Configuration

Runtime

Summary

Comments

You May Also Enjoy

How to use GPT-4 to do UI automation testing?

How to make a competent technical analysis?

How to make a team adopt Continuous Deployment?

How to perform a root cause analysis using ChatGPT?