Posted August 30, 2021 by Sam ‐ 4 min read
Keystone is built around three principles:
- complete transparency: the whole codebase has to be public and auditable;
- zero-knowledge: Keystone doesn’t need to know anything about the data shared by its users;
- ephemeral: user data should be erased as soon as possible.
Keystone achieves complete transparency by making its codebase open-source under the MIT license. Every components is listed on Github.com.
- Keystone main repository (API + CLI)
- Keystone documentation (this website)
- Keystone Auth Proxy
- Keystone Homebrew formula
- Keystone Github Action
We think an open codebase allows third parties to monitor code changes, audit and discover vulnerabilities.
Keystone has been designed like an end-to-end encrypted messaging app, think Signal but instead of sending messages, you send secrets — with a whole development workflow integration on top of it!
The cryptography part is taken in charge by Themis, a fantastic library made by a team of security and cryptography experts from Cossack Labs.
It’s used client-side only by our command line interface. In other words, you could fork our CLI and use another cryptography library or roll your own… which is highly not recommended!
The cryptosystem in place is the Secure Message in Encryption mode. It provides integrity, authenticity and confidentiality of the messages exchanged between users belonging to a Keystone project.
Extract from Themis documentation:
Encryption mode not only certifies the integrity and authenticity of the message, it also guarantees its confidentialty. That is, only the intended recipient is able to read the encrypted message, as well as to verify that it has been signed by the expected sender and arrived intact.
Keystone keeps messages for the least amount of time.
While it brings some constraints, it makes things harder for attackers to put their hands on your secrets as it becomes a moving target.
How to hack what’s not there?
Every messages exchanged on Keystone have a default time-to-live to 7 days. It means that recipients have 7 days to retrieve a message send for them.
Once it expires the message is removed from the database. The message is also removed when it’s successfully fetched by the recipient.
Messages are stored in Redis apart from the rest of the application (Postgres). It avoids the tedious task to cleanout messages from database backups in a cloud environment — looking at you Google Cloud!
Scope of Keystone
Keystone is focused on the developer experience around sharing and using secrets safely.
Our scope is to mitigate your risks of leaking sensitive data and avoid buggy behaviors due to missing environment variables in your environment, being local or remote.
That said, there’s a lot more to cover regarding security which are not part of our goals:
securing your devices
what happens if someone steals your laptop?
In this regard, you can quickly revoke a device and/or account from accessing your Keystone projects and environments.
ks device revoke
securing your servers
what happens if someone get access to your server?
If your secrets have been compromised, change their values with
ks secret setand
ks file setand resync your environments before your next deployment.
ks ci send
securing your providers
what happens if someone steals your account?
Keystone uses Github and Gitlab as identities provider at the moment. Follow each platforms recommendations to make your account more secure.
In case of an account loss, ask the administrators to remove you from the projects you have access to.
ks member rm
To make the experience seamless, Keystone is available as a service. A free plan is available and will be there forever.
You can upgrade to a paid plan if you need more powerful features like access control and alerts.
This will help the project to be maintained on the long run.
It’s also a good way to try before self-hosting the solution yourself.
Third party services
Mandrill is a Mailchimp company providing an API for transactional emails.
Keystone uses the service to send invites and notifications regarding a Keystone project.
- sender and recipient emails
- project name
- environments name
- devices name
- invitation: invite a user to signup on Keystone
- notification: new device for a project member
- notification: new user has been added to a project
- notification: a message is about to expire
Keystone is hosted on Google Cloud and uses the following services:
- Cloud SQL: Database hosting, Postgres 13 with backups, point-time-recovery and high availability
- Cloud Run: API hosting with autoscaling
- Cloud Storage: Documentation and website hosting
- Cloud Functions: Auth proxy hosting for identities providers
- MemoryStore: Highly available Redis instance for storing messages
- Cloud Scheduler: Jobs like removing expired encrypted messages
- DNS, DDoS protection
To be defined.