provisioning-outreach/presentations/rust-laspalmas-250926/demos/03-cosmian-kms.nu

175 lines
5.7 KiB
Text
Raw Permalink Normal View History

#!/usr/bin/env nu
# Demo 3: Cosmian KMS vs SOPS/Age - Rust Meetup 2025
# Comparación entre gestión de secretos tradicional y empresarial
print "🔐 Demo 3: Cosmian KMS vs SOPS/Age"
print "=================================="
# Parte 1: SOPS/Age (Método tradicional)
print "\n📦 Parte 1: Método tradicional con SOPS/Age"
print "============================================"
print "\n1⃣ Setup SOPS/Age (manual y propenso a errores):"
print "$ age-keygen -o ~/.age/key.txt"
print "$ export SOPS_AGE_KEY_FILE=~/.age/key.txt"
print "$ export SOPS_AGE_RECIPIENTS=age1..."
# Simular archivo de secretos
print "\n2⃣ Archivo original (sin encriptar):"
let secrets_plain = {
database: {
username: "admin"
password: "super-secret-password"
host: "db.internal.com"
port: 5432
}
api_keys: {
openai: "sk-proj-..."
aws_access: "AKIA..."
aws_secret: "wJalrXUtn..."
}
}
print ($secrets_plain | to yaml)
print "\n3⃣ Encriptar con SOPS:"
print "$ sops -e -i secrets.yaml"
print "Resultado: Archivo completamente ilegible, difícil de gestionar"
print "\n❌ Problemas con SOPS/Age:"
print " - Setup manual complejo"
print " - Gestión de claves manual"
print " - Sin rotación automática"
print " - Sin audit logs"
print " - Colaboración difícil"
print " - Sin compliance empresarial"
# Parte 2: Cosmian KMS (Solución Rust empresarial)
print "\n\n🦀 Parte 2: Cosmian KMS (Rust-powered enterprise)"
print "================================================"
print "\n1⃣ Configuración en KCL (declarativa):"
let kms_config = {
secret_provider: {
provider: "kms"
kms_config: {
server_url: "https://kms.company.com"
auth_method: "certificate"
client_cert_path: "/certs/provisioning.pem"
client_key_path: "/certs/provisioning.key"
ca_cert_path: "/certs/ca.pem"
timeout: 30
verify_ssl: true
}
}
}
print ($kms_config | to yaml)
print "\n2⃣ Uso natural en el sistema:"
print "$ provisioning sops secrets.yaml"
print "✅ Encriptación automática con Cosmian KMS"
print "✅ Claves gestionadas centralmente"
print "✅ Audit logs automáticos"
# Demostrar rotación automática
print "\n3⃣ Rotación automática de secretos:"
print "$ provisioning taskserv update secrets --rotate-keys"
print "🔄 Rotando claves..."
sleep 2sec
let rotation_result = {
status: "success"
rotated_keys: [
{ name: "database.password", old_version: "v1", new_version: "v2" }
{ name: "api_keys.aws_secret", old_version: "v3", new_version: "v4" }
]
audit_entry: "audit-2025-01-13-14:30:42-rotation-success"
next_rotation: "2025-02-13T14:30:42Z"
}
print ($rotation_result | to json)
# Mostrar audit logs
print "\n4⃣ Audit logs empresariales:"
print "$ provisioning show audit --filter secrets --last 24h"
let audit_logs = [
{
timestamp: "2025-01-13T14:30:42Z"
action: "key_rotation"
user: "provisioning-system"
resource: "database.password"
result: "success"
ip: "10.0.1.100"
}
{
timestamp: "2025-01-13T09:15:23Z"
action: "secret_access"
user: "deployment-pipeline"
resource: "api_keys.aws_secret"
result: "success"
ip: "10.0.2.50"
}
{
timestamp: "2025-01-13T08:45:12Z"
action: "secret_decrypt"
user: "provisioning-system"
resource: "database.password"
result: "success"
ip: "10.0.1.100"
}
]
print ($audit_logs | table)
# Demostrar zero-knowledge encryption
print "\n5⃣ Zero-knowledge encryption:"
print "🔒 Cosmian KMS nunca ve los datos sin encriptar"
print "🔑 Claves gestionadas por hardware security modules (HSM)"
print "🛡️ Compliance: FIPS 140-2, Common Criteria, GDPR"
# Comparación lado a lado
print "\n📊 Comparación SOPS/Age vs Cosmian KMS:"
print "======================================="
let comparison = [
{ feature: "Setup", sops: "Manual complejo", cosmian: "Configuración declarativa" }
{ feature: "Gestión de claves", sops: "Manual", cosmian: "Automática centralizada" }
{ feature: "Rotación", sops: "Manual", cosmian: "Automática programada" }
{ feature: "Audit logs", sops: "No", cosmian: "Completos con timestamps" }
{ feature: "Colaboración", sops: "Difícil", cosmian: "Roles y permisos" }
{ feature: "Compliance", sops: "Básico", cosmian: "Enterprise-grade" }
{ feature: "Performance", sops: "Bash/Go", cosmian: "Rust optimizado" }
{ feature: "Zero-knowledge", sops: "No", cosmian: "Sí" }
{ feature: "HSM support", sops: "No", cosmian: "Sí" }
{ feature: "Multi-tenant", sops: "No", cosmian: "Sí" }
]
print ($comparison | table)
# Demo de integración
print "\n6⃣ Integración seamless:"
print "$ provisioning generate infra --new secure-app --kms-encryption"
print "✅ Infraestructura generada con Cosmian KMS habilitado"
print "✅ Todos los secretos automáticamente encriptados"
print "✅ Rotación programada configurada"
print "\n🎯 Demo Cosmian KMS completada!"
print "⭐ Ventajas demostradas:"
print " - Setup declarativo vs manual"
print " - Rotación automática vs manual"
print " - Audit logs completos vs ninguno"
print " - Zero-knowledge encryption"
print " - Performance Rust vs scripts bash"
print " - Enterprise compliance ready"
print "\n💡 ¿Cuándo usar cada uno?"
print "📋 SOPS/Age: Proyectos pequeños, equipos técnicos, no compliance"
print "🏢 Cosmian KMS: Empresas, compliance necesario, equipos grandes"
print "\n🔧 Para probar Cosmian KMS:"
print "1. docker run -p 9998:9998 cosmian/kms"
print "2. Configurar KCL con server_url local"
print "3. provisioning sops test-secrets.yaml"