Has anyone used `keybase` to encrypt decrypt user passwords Pulumi Community #aws

Has anyone used `keybase` to encrypt/decrypt user ...

future-nail-59564

11/30/2020, 5:26 PM

Has anyone used

keybase

to encrypt/decrypt user passwords with

aws.iam.UserLoginProfile

? The

encryptedPassword

output returns a simple string in the form

wcFMA433DHhZWgKpARAAXYd0q2oRc83hFcLJXQMV9yC…

but keybase seems to expect something of the form

BEGIN KEYBASE SALTPACK ENCRYPTED MESSAGE. keDIDMQWYvVR58B FTfTeDQNHx1585M … 1UfUcHnbYM8vtOw OsZfpid. END KEYBASE SALTPACK ENCRYPTED MESSAGE.

for decryption… 🤔

broad-dog-22463

11/30/2020, 5:35 PM

you need to pipe through base64 decode

broad-dog-22463

11/30/2020, 5:35 PM

pulumi stack output myPassword | | base64 --decode

broad-dog-22463

11/30/2020, 5:35 PM

that should give you the keybase string

future-nail-59564

11/30/2020, 5:52 PM

piping through

base64 -d

only outputs binary/garbage! 😕

broad-dog-22463

11/30/2020, 5:54 PM

can you show me your code that you've specified for this?

future-nail-59564

11/30/2020, 6:05 PM

Copy code

const loginProfile = new aws.iam.UserLoginProfile(
        user.username,
        {
          user: iamUser.name,
          pgpKey: `keybase:${user.keybaseUser}`,
        },
        { parent: this }
      );

and later in a dynamic provider that will send encrypted password by email, where

encryptedPassword

is the resolved value of `loginProfile.encryptedPassword`:

Copy code

console.log(
      `Encrypted password: ${encryptedPassword}`
    );

I can share a more complete code excerpt if needed, but it’s a bit more involved, with the dynamic provider.

future-nail-59564

11/30/2020, 6:06 PM

UserComponent_ts__excerpt_.ts

future-nail-59564

11/30/2020, 6:08 PM

PasswordSender.ts (full)

little-cartoon-10569

11/30/2020, 7:11 PM

Same happens to me, I wrap it in the headers and footers myself, and it works.. onesec I've got the code...

little-cartoon-10569

11/30/2020, 7:12 PM

Ah, it's just Terraform code, haven't ported it to Pulumi yet...

Copy code

output "passwords" {
  value =<<ARMOURED
%{for login_profile in aws_iam_user_login_profile.support }
PGP-encrypted password for ${login_profile.user}
-----BEGIN PGP MESSAGE-----

${login_profile.encrypted_password}

-----END PGP MESSAGE-----
%{endfor}
ARMOURED
}

future-nail-59564

11/30/2020, 7:52 PM

Thanks @little-cartoon-10569! However, it’s not just the armour that’s missing, it’s also the bytes that seem to be grouped in bunches. As I mentioned earlier, the format keybase is expecting looks like this:

Copy code

BEGIN KEYBASE SALTPACK ENCRYPTED MESSAGE. keDIDMQWYvVR58B FTfTeDQNHx1585M wWbrASgxlB4AxUD GDs2vnNJvt5UodK mH0F6pHuD4vc3Vm lAlAPrh7ZKv2OTY HnLXoNcUySLmP3p 63H2m1IHrfmMttC RLfExoP8zM8ZQ6R b1AWj2suk3W6s2G r5LriMri8wq94Hs X4hS0THSXY4AK8r nWrWvYlT3LBcuza 5AL24aH3H1eNVPe Mev3P0esF4z3O4w 9g9EQGy9IGN4ft7 5TKjYlptRSsGYAB RlGQlkRFFHQomtD es0YdccwPYXC5aa YbWyCA7jVOSEvCQ dcUbmILBnJLgvnf CJA6cpucUDsUeoP bKhMOzGg72JFSQ1 OXRp5VNwlo4ox8E 1UfUcHnbYM8vtOw OsZfpid. END KEYBASE SALTPACK ENCRYPTED MESSAGE.

future-nail-59564

11/30/2020, 7:58 PM

However, my team lead asked that I stop going down this rabbit hole (which is starting to waste a lot of time) and instead find an alternative for generating/sending passwords! 😕 I guess I’ll create my own dynamic provider to create the login profile (because the regular AWS one only supports encrypted passwords). I’ll generate a random password, configure it to force user to reset it upon first login, and just send it to user by email as plain-text (as it’s just a temporary one). That’s a compromise, but we just need a simple enough workflow both for admins and users…

4 Views

Open in Slack

Previous Next