Security

Keystone is built around three principles:

• complete transparency: the whole codebase has to be public and auditable;
• zero-knowledge: Keystone doesn’t need to know anything about the data shared by its users;
• ephemeral: user data should be erased as soon as possible.

Transparency

Keystone achieves complete transparency by making its codebase open-source under the MIT license. Every components is listed on Github.com.

• Keystone main repository (API + CLI)
• Keystone documentation (this website)
• Keystone Auth Proxy
• Keystone Homebrew formula
• Keystone Github Action

We think an open codebase allows third parties to monitor code changes, audit and discover vulnerabilities.

Zero knowledge

Keystone has been designed like an end-to-end encrypted messaging app, think Signal but instead of sending messages, you send secrets — with a whole development workflow integration on top of it!

The cryptography part is taken in charge by Themis, a fantastic library made by a team of security and cryptography experts from Cossack Labs.

It’s used client-side only by our command line interface. In other words, you could fork our CLI and use another cryptography library or roll your own… which is highly not recommended!

The cryptosystem in place is the Secure Message in Encryption mode. It provides integrity, authenticity and confidentiality of the messages exchanged between users belonging to a Keystone project.

Extract from Themis documentation:

Encryption mode not only certifies the integrity and authenticity of the message, it also guarantees its confidentialty. That is, only the intended recipient is able to read the encrypted message, as well as to verify that it has been signed by the expected sender and arrived intact.

Ephemeral

Keystone keeps messages for the least amount of time.

While it brings some constraints, it makes things harder for attackers to put their hands on your secrets as it becomes a moving target.

How to hack what’s not there?

Every messages exchanged on Keystone have a default time-to-live to 7 days. It means that recipients have 7 days to retrieve a message send for them.

Once it expires the message is removed from the database. The message is also removed when it’s successfully fetched by the recipient.

Messages are stored in Redis apart from the rest of the application (Postgres). It avoids the tedious task to cleanout messages from database backups in a cloud environment — looking at you Google Cloud!

Scope of Keystone

Keystone is focused on the developer experience around sharing and using secrets safely.

Our scope is to mitigate your risks of leaking sensitive data and avoid buggy behaviors due to missing environment variables in your environment, being local or remote.

That said, there’s a lot more to cover regarding security which are not part of our goals:

• securing your devices
  what happens if someone steals your laptop?

  In this regard, you can quickly revoke a device and/or account from accessing your Keystone projects and environments.

  See ks device revoke

• securing your servers
  what happens if someone get access to your server?

  If your secrets have been compromised, change their values with ks secret set and ks file set and resync your environments before your next deployment.

  See ks ci send

• securing your providers
  what happens if someone steals your account?

  Keystone uses Github and Gitlab as identities provider at the moment. Follow each platforms recommendations to make your account more secure.

  In case of an account loss, ask the administrators to remove you from the projects you have access to.

  See ks member rm

Hosted solution

To make the experience seamless, Keystone is available as a service. A free plan is available and will be there forever.

You can upgrade to a paid plan if you need more powerful features like access control and alerts.

This will help the project to be maintained on the long run.

It’s also a good way to try before self-hosting the solution yourself.

Third party services

Mandrill

Mandrill is a Mailchimp company providing an API for transactional emails.

Keystone uses the service to send invites and notifications regarding a Keystone project.

Informations disclosed

• sender and recipient emails
• project name
• environments name
• devices name
• username
• IP

Email types

• invitation: invite a user to signup on Keystone
• notification: new device for a project member
• notification: new user has been added to a project
• notification: a message is about to expire

Google Cloud

Keystone is hosted on Google Cloud and uses the following services:

• Cloud SQL: Database hosting, Postgres 13 with backups, point-time-recovery and high availability
• Cloud Run: API hosting with autoscaling
• Cloud Storage: Documentation and website hosting
• Cloud Functions: Auth proxy hosting for identities providers
• MemoryStore: Highly available Redis instance for storing messages
• Cloud Scheduler: Jobs like sending email alerts on soon-to-expire encrypted messages

Cloudflare

• DNS, DDoS protection

Stripe

To be defined.