Context

In the context of 12 Factor Apps, it is recommended to store configurations in the environment. However, storing plain credentials directly in the environment is not secure. To overcome this, we need a workaround.

Currently, we are using Secrets Manager to store credentials separately from other configurations. This means that configuring credentials requires extra steps.

What is shush?

shush is a small tool that can be used to encrypt and decrypt secrets, using the AWS Key Management Service(KMS).

Why shush?

One of the advantages of shush is that it supports decrypting environments with the prefix KMS_ENCRYPTED_ and puts the plain credentials in the environment variables. This allows us to store the credentials together with other configurations, making it easier to maintain.

And using shush can eliminates the need to manually manage Secrets Manager.

How to use shush?

CLI

Installation

go get github.com/realestate-com-au/shush

Or

sudo curl -fsSL -o /usr/local/bin/shush \
    "https://github.com/realestate-com-au/shush/releases/download/v1.5.4/shush_$(uname -s | tr '[:upper:]' '[:lower:]')_$(uname -m | sed 's/x86_/amd/' | sed 's/aarch/arm/')" \
 && sudo chmod +x /usr/local/bin/shush

Usage

Encrypt

shush --region ap-southeast-2 encrypt KEY_ID 'this is a plain secret'

Decrypt

shush --region ap-southeast-2 decrypt 'this is a encrypted secret'

Command shim in Docker

Installation

# Include "shush" to decode KMS_ENCRYPTED_STUFF
ARG TARGETARCH
RUN curl -fsSL -o /usr/local/bin/shush \
    https://github.com/realestate-com-au/shush/releases/download/v1.5.4/shush_linux_${TARGETARCH} \
 && chmod +x /usr/local/bin/shush
ENTRYPOINT ["/usr/local/bin/shush", "exec", "--"]

Usage Example

Configuration

  • add the KMS_ENCRYPTED_DB_PASSWORD environment variable

    KMS_ENCRYPTED_DB_PASSWORD="encrypted password"

Runtime

  1. shush will find KMS_ENCRYPTED_DB_PASSWORD in the environment
  2. shush will decrypt the content.
  3. shush will put the result in a new environment variable DB_PASSWORD. The environment will now be: 
     KMS_ENCRYPTED_DB_PASSWORD="encrypted password"
 DB_PASSWORD="plain password"
  4. start the application

Summary

Compared to using Secrets Manager, shush allows us to centralize the application’s configuration and minimize manual work.

Tags:

Updated:

Comments

You May Also Enjoy

Let’s try having ChatGPT ask us questions

2 minute read

Recently I listened to a lecture by Xu Hao(徐昊) about how to train ChatGPT to become a domain expert so we can use it to solve various problems in that domain...