Even though sharing secrets is not recommended this is not always possible, especially in rapidly growing engineering teams where velocity takes precedence over security. INCOG is designed for teams (engineering and non-engineering) to share secrets like generic passwords, app tokens, API keys, etc. over an end-to-end encrypted channel. This avoids sharing secrets over 3rd-party and insecure channels such as e-mail, slack, messengers, sticky notes (not kidding people do this), etc.
- End-to-end encrypted channel for secret sharing.
- Runs on Docker and is highly scalable.
- Uses AWS KMS for secret key generation i.e. you host & own the master key.
- Every secret shared is encrypted using a unique Data Encryption Key (DEK) with
AES-128-CBC
. - Secrets storage is ephemeral and not persisted for more than 24hours (which is configurable).
- Neither of encrypting or decrypting a secret is attributed to an user keeping any activity on INCOG anonymized.
- Generates unique/random HTTP URL(s) for sharing secrets, hence can be shared via any channel (email, Slack, etc.)
- Accessible via any browser of your choice.
INCOG is designed to run on Docker and can be deployed via docker-compose
.
Prerequisites:
- You have an AWS account and an access Key Management Service (via IAM AccessKey or EC2 Role).
- Docker installed on host machine where INCOG would be installed.
- A TLS certificate (internally signed or Let's Encrypt or other CAs) registered to a domain you would serve INCOG over. Since, TLS is a must and if you don't have means to get one there is a script provided:
deploy/create-local-cert.sh
which can generate a self-signed certificate. - It is strongly recommended that you serve this app only within an internal network or via a VPN and not directly over the internet.
Instructions:
- Generate a Symmetric key on KMS with spec:
SYMMETRIC_DEFAULT
and required policy to access it can be found underdoc/kms-policy.json
- Clone or download this repo on your host machine where you would like to setup INCOG.
- Configure required values under
deploy/config/incog.env
- REQUIRED:
KMS_KEY_ID
- ID of you KMS key. - REQUIRED:
AWS_DEFAULT_REGION
this should be the same region as of the KMS Key. - OPTIONAL:
AWS_ACCESS_KEY_ID
,AWS_SECRET_ACCESS_KEY
set AccessKey of IAM user if you can't set an EC2 IAM role which is the preferred method - OPTIONAL:
MEMCACHE_HOST
,MEMCACHE_PORT
- if you're using your custom Memcache server. - OPTIONAL:
MEMCACHE_SECRET_LIFESPAN
- if you want to change the default secret lifespan of 24hours. - RECOMMENDED:
FLASK_SECRET_KEY
- Random string used by flask to sign session. To generate a Random string -python -c 'import os; print(os.urandom(16))'
- REQUIRED:
- Configure required values under
deploy/config/incog-nginx.env
- REQUIRED:
INCOG_HOST
- Name of the domain you want to serve INCOG via. (Don't include http/https)
- REQUIRED:
- Import your TLS certificate and key under
deploy
folder and name it asincog.cert
&incog.key
respectively. - Start INCOG -
cd deploy && docker-compose up -d --build
and verify if all 3 processes (frontend, incog, memcache) are up viadocker ps
. - You can now start using INCOG via:
https://<INCOG_HOST>
on your favorite browser.
Run - cd deploy && docker-compose down
INCOG uses the following tech stack:
- Frontend - Nginx server
- Backend - Gunicorn + Flask
- Storage - Memcache server