Skip to content

Latest commit

 

History

History
54 lines (31 loc) · 2.47 KB

adr-006-secret-store-replacement.md

File metadata and controls

54 lines (31 loc) · 2.47 KB

ADR 006: Secret Store Replacement

Changelog

  • July 29th, 2019: Initial draft
  • September 11th, 2019: Work has started
  • November 4th: Cosmos SDK changes merged in
  • November 18th: Gaia changes merged in

Context

Currently, a Cosmos SDK application's CLI directory stores key material and metadata in a plain text database in the user’s home directory. Key material is encrypted by a passphrase, protected by bcrypt hashing algorithm. Metadata (e.g. addresses, public keys, key storage details) is available in plain text.

This is not desirable for a number of reasons. Perhaps the biggest reason is insufficient security protection of key material and metadata. Leaking the plain text allows an attacker to surveil what keys a given computer controls via a number of techniques, like compromised dependencies without any privilege execution. This could be followed by a more targeted attack on a particular user/computer.

All modern desktop computers OS (Ubuntu, Debian, MacOS, Windows) provide a built-in secret store that is designed to allow applications to store information that is isolated from all other applications and requires passphrase entry to access the data.

We are seeking solution that provides a common abstraction layer to the many different backends and reasonable fallback for minimal platforms that don’t provide a native secret store.

Decision

We recommend replacing the current Keybase backend based on LevelDB with Keyring by 99 designs. This application is designed to provide a common abstraction and uniform interface between many secret stores and is used by AWS Vault application by 99-designs application.

This appears to fulfill the requirement of protecting both key material and metadata from rogue software on a user’s machine.

Status

Accepted

Consequences

Positive

Increased safety for users.

Negative

Users must manually migrate.

Testing against all supported backends is difficult.

Running tests locally on a Mac require numerous repetitive password entries.

Neutral

{neutral consequences}

References

  • #4754 Switch secret store to the keyring secret store (original PR by @poldsam) [CLOSED]
  • #5029 Add support for github.com/99designs/keyring-backed keybases [MERGED]
  • #5097 Add keys migrate command [MERGED]
  • #5180 Drop on-disk keybase in favor of keyring [PENDING_REVIEW]
  • cosmos/gaia#164 Drop on-disk keybase in favor of keyring (gaia's changes) [PENDING_REVIEW]