Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

[MOVED] How to use openpgp card to store secret access key?

0

Hello, I'm trying to find a way to store AWS secret access key in secure "only read" hardware in order to be PCI DSS complaint, for now i tried to store this secret access key in yubikey NEO, but the yubikey supports only 38 characters of "known" password ( all of the types of yubikey ), and the AWS generated secret access key is 40 characters, i tried to find " a way around " : i tried to compress this secret key ( dosnt work because of key complexity ),was thinking of storing this secret access key in yubikey as everyone do with ssh but for that i need to convert this string to pgp format (and i dont know how;P) , i was thinking of dividing this key in 2 parts and store it in different slots of the yubikey, but this sounds as very bad practice implementation. So the questions are : If someone has any other "work around" for this problem? Is it possible to generate 38 character access secret key?

P.S I use AWS CLI mainly , and no access to browser needed is appreciated, so the U2F ( as far as i have read ) is not an option.

Themen
Sicherheit, Identität & KonformitätManagement & Unternehmensführung
Tags
AWS-SchlüsselverwaltungsserviceAWS Identity and Access ManagementAWS BefehlszeilenschnittstelleAWS Geheimnismanager
Sprache
English
Joann Babak
gefragt vor 2 Jahren311 Aufrufe
2 Antworten
0

You can use a MFA Token with the AWS CLI. We have a Support Article How do I use an MFA token to authenticate access to my AWS resources through the AWS CLI? there is also a video showing the process.

AWS
Michael_K
beantwortet vor 2 Jahren
  • Joann Babak
    vor 2 Jahren

    True, but, im not sure if it will be enough to cover PCI DSS , because we still will need to store somewhere the access keys, and to be full PCI DSS complaint, they cant be stored in PC memory , so or we get rid of access keys ( that, if we use AWS cli is not an option? ) , or we store secret access key in something "secure" like yubikey ( which apparently if the key exceeds 38 characters we cannot ), so any suggestion on how to "get rid" of access keys or shortening them will be appreciated

0

How about trying pass utility? Pass utility is based on GPG to encrypt their vault. And then, you can use your YubiKey with OpenPGP.

For convenience, try to use aws-vault together. This is integrated with pass utility.

profile picture
EXPERTE
posquit0
beantwortet vor 2 Jahren
  • Joann Babak
    vor 2 Jahren

    Looks like a promising utility, but as far as i have tested, i encrypted my secret access key under my PGP key, but.... now what? How i can store this PGP encrypted file in yubikey? so whenever i will need it, i will be able to "pull" it out?

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt