Quick Design Update

Let’s put just a quick design update for my previous post.

I thought a lot, because obviously, the first design you put for any project is bad. Here is the new design:

On the storage side of the application: I will decouple the password storage and the secret storage.

How to get the password store?

The application will have to authenticate against an authentication provider, it can be basically anything, that will provide a authentication object to be used with the file provider (that can be local a file wrapper, and an API wrapper that will get/put the file) The application will receive the file to be decrypted. No more decrypt/re-encrypt inside the storing API.

The goal here is to make the secrets used to decrypt the password file 100% decoupled from the password file.

Another valid approach from here could be to move the password into DynamoDB encrypted, but I think the current design will be more secured as I can avoid storing any metadata linking the secret to the file and having the used create the link in the user space.

User space application will be able to:

• Get Password File (If the user have read access)
• List Password File (It will list the Password File the user can read or write)
• Put Password File (If the user have write access, will create a new file)
• Change Owner (If the user have ownership)

How to get the secret?

The application will have to authenticate against an authentication provider, it can be the same used by the password store or not. Or user provided secret, that will allow to enter their password, or private key.

User space application will be able to:

• Get Secret (If the user have read access)
• List Secrets (Will list the secret an user can read or write)
• Put Secret (If the user have write access, will create a new secret)
• Change Owner (If the user have ownership)

Secret Rotation:

I mentioned that I wanted this design to allow automated password rotation, let’s consider secret rotation is an user application, we can implement rotation features in the user application (that will be a fork of KeePass), or have a CLI or API to be used by any programmatic way.

Development time:

Something I wanted to do for a few time now, is to stream my coding, and take this opportunity to chat with people interested in learning or only this type of content.

I stream mostly on Fridays at 9pm CET on my twitch channel, in french. I will keep these streams in French as I think there is already quite enough coding content in English and very few in French. I you wanna join, it will be on twitch.tv/hanapoulpe.