#security (2023-11)
Archive: https://archive.sweetops.com/security/
2023-11-16
Fortinet is alerting customers of a critical OS command injection vulnerability in FortiSIEM report server that could be exploited by remote, unauthenticated attackers to execute commands through specially crafted API requests.
This would be great to have in SOPS. Makes the secret story much better to be able to encrypt for a recipient, without having access to their KMS.
This is a pattern we follow, so can’t adopt SOPS yet, to encrypt offline without touching the environment. It also allows developers, who do not have privileged access to production environments to pass us secrets for target systems.
I’d like to be able to allow anyone to encrypt secrets to me; but only allow decryption through sops/KMS.
AWS support this with key_usage of ENCRYPT_DECRYPT
. https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks
When I attempted to just use an RSA_4096 KMS key with sops I got:
Failed to call KMS encryption service: InvalidKeyUsageException: Algorithm SYMMETRIC_DEFAULT is incompatible with key spec RSA_4096.
I’m not discounting the feature but you know you can do that with pgp right?
I’d like to be able to allow anyone to encrypt secrets to me; but only allow decryption through sops/KMS.
AWS support this with key_usage of ENCRYPT_DECRYPT
. https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks
When I attempted to just use an RSA_4096 KMS key with sops I got:
Failed to call KMS encryption service: InvalidKeyUsageException: Algorithm SYMMETRIC_DEFAULT is incompatible with key spec RSA_4096.
Yes, But with pgp you lose the benefits of KMS. Such as auditing who decrypted a secret. And tying the decryption to the AWS APIs.
And pgp/gpg clients are dated, painful, obscure, … We know that all too well.
2023-11-17
2023-11-20
2023-11-30
For anyone interested, I’ve just released a threat intel feed aggregator -dstif.io Feel free to add the rss feed to your own slack/discord/feeds (hint hint @Erik Osterman (Cloud Posse) )
I’m just scouring things manually