By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

[MOVED] How to use openpgp card to store secret access key?

0

Hello, I'm trying to find a way to store AWS secret access key in secure "only read" hardware in order to be PCI DSS complaint, for now i tried to store this secret access key in yubikey NEO, but the yubikey supports only 38 characters of "known" password ( all of the types of yubikey ), and the AWS generated secret access key is 40 characters, i tried to find " a way around " : i tried to compress this secret key ( dosnt work because of key complexity ),was thinking of storing this secret access key in yubikey as everyone do with ssh but for that i need to convert this string to pgp format (and i dont know how;P) , i was thinking of dividing this key in 2 parts and store it in different slots of the yubikey, but this sounds as very bad practice implementation. So the questions are : If someone has any other "work around" for this problem? Is it possible to generate 38 character access secret key?

P.S I use AWS CLI mainly , and no access to browser needed is appreciated, so the U2F ( as far as i have read ) is not an option.

Topics
Security, Identity, & ComplianceManagement & Governance
Tags
AWS Key Management ServiceAWS Identity and Access ManagementAWS Command Line InterfaceAWS Secrets Manager
Language
English
Joann Babak
asked 3 years ago433 views
2 Answers
0

You can use a MFA Token with the AWS CLI. We have a Support Article How do I use an MFA token to authenticate access to my AWS resources through the AWS CLI? there is also a video showing the process.

AWS
Michael_K
answered 3 years ago
  • Joann Babak
    3 years ago

    True, but, im not sure if it will be enough to cover PCI DSS , because we still will need to store somewhere the access keys, and to be full PCI DSS complaint, they cant be stored in PC memory , so or we get rid of access keys ( that, if we use AWS cli is not an option? ) , or we store secret access key in something "secure" like yubikey ( which apparently if the key exceeds 38 characters we cannot ), so any suggestion on how to "get rid" of access keys or shortening them will be appreciated

0

How about trying pass utility? Pass utility is based on GPG to encrypt their vault. And then, you can use your YubiKey with OpenPGP.

For convenience, try to use aws-vault together. This is integrated with pass utility.

profile picture
EXPERT
posquit0
answered 3 years ago
  • Joann Babak
    3 years ago

    Looks like a promising utility, but as far as i have tested, i encrypted my secret access key under my PGP key, but.... now what? How i can store this PGP encrypted file in yubikey? so whenever i will need it, i will be able to "pull" it out?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content