Skip to content

Instantly share code, notes, and snippets.

@kennwhite
kennwhite / Dockerfile
Last active Apr 22, 2022
MongoDB .NET Alpine Dockerfile CSFLE example (MSFT's Alpine SDK image and Alpine's official image)
View Dockerfile
# syntax=docker/dockerfile:1
FROM mcr.microsoft.com/dotnet/sdk:6.0-alpine3.15
# FROM alpine:3.15
#
ENV MDB_CONN_STR="mongodb+srv://user:password@clusterX.XXX.mongodb.net/test?retryWrites=true&w=majority"
#
RUN apk update
RUN apk add git make cmake g++ libbson-static musl-dev libc-dev openssl openssl-dev py3-pip icu-dev bash nano coreutils
RUN mkdir -p /code/app
WORKDIR /code/app
@kennwhite
kennwhite / mongodb-csfle-example-kmip-or-local-key.md
Created Apr 18, 2022 — forked from pkdone/mongodb-csfle-example-kmip-or-local-key.md
MongoDB CSFLE example using mongosh with a master key sourced from KMIP or a local file
View mongodb-csfle-example-kmip-or-local-key.md

MongoDB Client-Side Field Level Encryption (CSFLE) Using KMIP or Local Master Key (with mongosh)

Assumptions

  • You have an accessible MongoDB deployment already running and accessible (self-managed or in Atlas)
  • You have the modern MongoDB Shell (mongosh) installed locally on your workstation
  • You have a KMIP Server running and accessible, if you don't intend to use a local keyfile (for an example of running and configuring a Hashicorp Vault development instance, see: Hashicorp Vault Configuration For MongoDB KMIP Use)

Configure Local Workstation Context Files

@kennwhite
kennwhite / alpine_password.sh
Last active Apr 6, 2022
Non-interactive user create & password change for Alpine Linux
View alpine_password.sh
#! /usr/bin/env sh
# Create unprivileged Alpine linux user. Run this script as root/sudo
# Don't prompt for password and make group same as username, default path & shell
adduser -D -g appuser appuser
# Set a decent random password (aiming for a 256 bit security level, but better than "monkey")
PW=$(head -c 32 /dev/urandom | base64) && echo -e "$PW\n$PW" | passwd appuser && unset PW
@kennwhite
kennwhite / alpine_libmongocrypt_build.sh
Last active Mar 23, 2022
Simple MongoDB client-side field level encryption (libmongocrypt) demo on Alpine Linux with .NET
View alpine_libmongocrypt_build.sh
# WARNING: This is a demonstration only, not any kind of official build - use at your own risk
# Launched standard Alpine Linux AMI on an t2.micro instance configured w/ 8GB:
# alpine-3.15.1-x86_64-bios-cloudinit-r0 - ami-0421638898b821bff
#
# ssh -i mykey.pem alpine@[instance address]
# This demo runs as default non-root "alpine" user
@kennwhite
kennwhite / main.go
Last active Nov 12, 2021
Implementation of AEAD-AES-256-CBC-HMAC-SHA-512 using spec test vectors
View main.go
/*
Demonstration of AEAD_AES_256_CBC_HMAC_SHA_512, an authenticated encryption with associated
data (AEAD) scheme using a composition of AES in the CBC mode of operation with an
HMAC-SHA512 message authentication code, an Encrypt-Then-MAC construction.
From IETF draft spec by McGrew, Foley, & Paterson:
https://datatracker.ietf.org/doc/html/draft-mcgrew-aead-aes-cbc-hmac-sha2-05#section-2.7
Disclaimer:
This is strictly a proof of concept personal project and has not had any proper cryptography review.
Do not use for anything even vaguely important.
View cryptopapers.md

Not many papers share a critical view of the cryptography field, and when such papers are published they tend to be dismissed as "extreme opinions". But not talking about potential deficiencies is harmful for everyone on the long run, even if many actors' self-interest is the status quo (example: USSR). So here's a list of crypto papers and essays not purely technical, sometimes called "controverial", in arbitrary order (please send suggestions of missing entries):

Rogaway - The moral character of cryptographic work - https://web.cs.ucdavis.edu/~rogaway/papers/moral.pdf

Bernstein - Non-uniform cracks in the concrete: the power of free precomputation - http://cr.yp.to/nonuniform/nonuniform-20130914.pdf

@kennwhite
kennwhite / FIPS-Modules-In-Process.md
Last active May 24, 2021
FIPS Modules In Process (as of Apr 9, 2021)
View FIPS-Modules-In-Process.md

From: https://csrc.nist.gov/projects/cryptographic-module-validation-program/modules-in-process/modules-in-process-list Snapshot as of Apr 9, 2021

Module Name Vendor Name Standard Status
Thunder Series TH-3040S, TH-5440S, TH-5840S and TH-7440S-11 A10 Networks, Inc. FIPS 140-2 In Review
ADVA 10TCE-PCN-16GU+AES100G-F encryption module ADVA Optical Networking SE FIPS 140-2 Review Pending
ADVA 9TCE-PCN-10GU+AES10G-F encryption module ADVA Optical Networking SE FIPS 140-2 Review Pending
WCC-PCN-AES100GB-F Encryption Module ADVA Optical Networking SE FIPS 140-2 Coordination
@kennwhite
kennwhite / general_tso`s_chicken.md
Last active Mar 28, 2021
General Tso's Chicken
View general_tso`s_chicken.md

Joshua Weissman's General Tso's Chicken

Chicken:

  • 1.5 lbs (700g) boneless skinless chicken thighs cut into pieces
  • 1 TB (14g) shaoxing wine
  • 1 TB (14g) soy sauce
  • pinch of salt
  • 2 cloves garlic mined
  • 1 inch knob ginger minced
  • 1/2 cup (75g) all purpose flour
@kennwhite
kennwhite / lxc_v4_notes_feb-2021.txt
Last active Oct 23, 2021
LXC v4 notes (2/2021) for Ubuntu
View lxc_v4_notes_feb-2021.txt
# Good tips here: https://www.cyberciti.biz/faq/install-lxd-on-ubuntu-20-04-lts-using-apt/
# List all running services
systemctl list-units --all --type=service --no-pager | grep running
# Clean install of lxc (on host) - first lxd system, then lxc command line tools
sudo apt-get update
sudo apt-get upgrade
sudo apt install lxd
sudo adduser YOURUSERID lxd # (probably already there)
@kennwhite
kennwhite / hello_world_shell_local_per_user.js
Last active Feb 15, 2021
Basic FLE hello world with shell, demonstrating per-user keys (json pointers)
View hello_world_shell_local_per_user.js
/*
Simple demonstration using MongoDB Client-Side Field Level Encryption (local key version)
using json pointer for per-user/per-document dynamic key selection
This pattern might be useful for Right to Be Forgotten GDPR use case.
Note: FLE schemas with json pointer dynamic key IDs require randomized mode and automatic encryption
Decryption -- whether randomized or deterministic -- is always automatic, assuming the data key is available/cached.
If deterministic (searchable) mode is required, consider dynamic user key selection
at the app level via explicit encryption methods (versus automatic), e.g.: