Your extraordinary one time secret

kyosifov

Kaloyan Yosifov

Posted on January 27, 2023

Your extraordinary one time secret

Your extraordinary one time secret

In this post we will go through our new project we created and open sourced at Tapro Labs. Let this post be a brief introduction of our project and elaboration on our agenda.

What is it about? (Brief introduction)

In our company we used a really interesting way of sharing secret. For starters when we wanted to share usernames or passwords, we would upload them in k8s secrets resource, then the other party would just fetch the secret through the Command Line.

For a small company of engineers that is fine, but when we have to send passwords or files to non engineers it gets tricky.

So instead, we decided to create our own custom solution for sharing secrets in our company.

Why not use an already built in open source solution?

We looked at other solutions at the time like Luzifer’s OTS and Sniptt’s OTS.
Which fit nicely into our use case, but since we considered adding more unique features and wanted to wet our feet with Rust, we decided to start from scratch.

What is OTS

Let’s start by first explaining what is one time secret sharing:

  • Ideally a one time secret app allows people to share private info without the server ever having knowledge of what that info is.

  • Encrypted secret is stored for a short period of time on the server

  • Server cannot know about the encryption key

Basic implementation:

  1. User sends an encrypted secret to the server

  2. Server returns a unique id to reference that secret

  3. User then sends the id along with the decryption key to the recipient

  4. Recipient queries the server with the secretId

  5. Server responds with the encrypted secret and removes it from it’s storage system.

  6. Recipient decrypts the secret with the decryption key

The secret is stored by default for **24 hours **or until someone views the secret.

Why are we doing it (Agenda)

  • To make password, confidential documents and secrets easy to share for both developers and non developers alike

  • To improve our skills

  • To open source our first project and help people who would need the additional custom solutions we built.

What makes it so special?

Let’s check the features of both mentioned packages above and compare them to our OTS.

Luzifer’s OTS:

  • Secrets are encrypted by the client

  • Server has no knowledge of the encryption/decryption key

  • Secret is destroyed after being viewed or after a period of time.

  • Multilingual

Sniptt’s OTS:

  • Secrets are encrypted by the client

  • Server has no knowledge of the encryption/decryption key

  • Secret is destroyed after being viewed or after a period of time.

  • Documentation for self hosting

  • Sharing secrets through the CLI

  • Specify time to live period

And here is what our OTS support:

  • Secrets are encrypted by the client

  • Server has no knowledge of the encryption/decryption key

  • Secret is destroyed after being viewed or after a period of time.

  • Slack app integration

  • File uploads (up to 40MB)

With more features on the way:

  • Command line integration

  • Specify time to live period

  • Self-hosting helm chart

  • Chrome extension

Use Cases

Most of the time we are sharing passwords or environment variables, but it didn’t took long enough for us to want to send files as well.

Usually when we interview people we get their CV. After the interview, this file must not be located anywhere in our company systems or personal computers. Most of the time we would send these files through slack, but we had to remember to delete them afterwards along with us trusting that Slack is not breaching their policy or no hacker is in their servers.
This is where the file integration comes into place. It still has the same security features as sending plain text, but it allows us to not forget to delete the file from the messaging system (Slack).

Short Demo

Here is a short demo displaying how it works in the browser:

Conclusion

We host our application at https://ots.techatom.de . While it is secure enough to use, we would recommend that you go with self-host approach. At the moment it is not documented, but we will create a helm chart ready for use in the future. You can watch for update in the repository here

Remember to keep secrets a secret 😉 and thanks for reading! 🙌

💖 💪 🙅 🚩
kyosifov
Kaloyan Yosifov

Posted on January 27, 2023

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related