#!/usr/bin/env nu # Demo 3: Cosmian KMS vs SOPS/Age - Rust Meetup 2025 # Comparación entre gestión de secretos tradicional y empresarial print "🔐 Demo 3: Cosmian KMS vs SOPS/Age" print "==================================" # Parte 1: SOPS/Age (Método tradicional) print "\n📦 Parte 1: Método tradicional con SOPS/Age" print "============================================" print "\n1️⃣ Setup SOPS/Age (manual y propenso a errores):" print "$ age-keygen -o ~/.age/key.txt" print "$ export SOPS_AGE_KEY_FILE=~/.age/key.txt" print "$ export SOPS_AGE_RECIPIENTS=age1..." # Simular archivo de secretos print "\n2️⃣ Archivo original (sin encriptar):" let secrets_plain = { database: { username: "admin" password: "super-secret-password" host: "db.internal.com" port: 5432 } api_keys: { openai: "sk-proj-..." aws_access: "AKIA..." aws_secret: "wJalrXUtn..." } } print ($secrets_plain | to yaml) print "\n3️⃣ Encriptar con SOPS:" print "$ sops -e -i secrets.yaml" print "Resultado: Archivo completamente ilegible, difícil de gestionar" print "\n❌ Problemas con SOPS/Age:" print " - Setup manual complejo" print " - Gestión de claves manual" print " - Sin rotación automática" print " - Sin audit logs" print " - Colaboración difícil" print " - Sin compliance empresarial" # Parte 2: Cosmian KMS (Solución Rust empresarial) print "\n\n🦀 Parte 2: Cosmian KMS (Rust-powered enterprise)" print "================================================" print "\n1️⃣ Configuración en KCL (declarativa):" let kms_config = { secret_provider: { provider: "kms" kms_config: { server_url: "https://kms.company.com" auth_method: "certificate" client_cert_path: "/certs/provisioning.pem" client_key_path: "/certs/provisioning.key" ca_cert_path: "/certs/ca.pem" timeout: 30 verify_ssl: true } } } print ($kms_config | to yaml) print "\n2️⃣ Uso natural en el sistema:" print "$ provisioning sops secrets.yaml" print "✅ Encriptación automática con Cosmian KMS" print "✅ Claves gestionadas centralmente" print "✅ Audit logs automáticos" # Demostrar rotación automática print "\n3️⃣ Rotación automática de secretos:" print "$ provisioning taskserv update secrets --rotate-keys" print "🔄 Rotando claves..." sleep 2sec let rotation_result = { status: "success" rotated_keys: [ { name: "database.password", old_version: "v1", new_version: "v2" } { name: "api_keys.aws_secret", old_version: "v3", new_version: "v4" } ] audit_entry: "audit-2025-01-13-14:30:42-rotation-success" next_rotation: "2025-02-13T14:30:42Z" } print ($rotation_result | to json) # Mostrar audit logs print "\n4️⃣ Audit logs empresariales:" print "$ provisioning show audit --filter secrets --last 24h" let audit_logs = [ { timestamp: "2025-01-13T14:30:42Z" action: "key_rotation" user: "provisioning-system" resource: "database.password" result: "success" ip: "10.0.1.100" } { timestamp: "2025-01-13T09:15:23Z" action: "secret_access" user: "deployment-pipeline" resource: "api_keys.aws_secret" result: "success" ip: "10.0.2.50" } { timestamp: "2025-01-13T08:45:12Z" action: "secret_decrypt" user: "provisioning-system" resource: "database.password" result: "success" ip: "10.0.1.100" } ] print ($audit_logs | table) # Demostrar zero-knowledge encryption print "\n5️⃣ Zero-knowledge encryption:" print "🔒 Cosmian KMS nunca ve los datos sin encriptar" print "🔑 Claves gestionadas por hardware security modules (HSM)" print "🛡️ Compliance: FIPS 140-2, Common Criteria, GDPR" # Comparación lado a lado print "\n📊 Comparación SOPS/Age vs Cosmian KMS:" print "=======================================" let comparison = [ { feature: "Setup", sops: "Manual complejo", cosmian: "Configuración declarativa" } { feature: "Gestión de claves", sops: "Manual", cosmian: "Automática centralizada" } { feature: "Rotación", sops: "Manual", cosmian: "Automática programada" } { feature: "Audit logs", sops: "No", cosmian: "Completos con timestamps" } { feature: "Colaboración", sops: "Difícil", cosmian: "Roles y permisos" } { feature: "Compliance", sops: "Básico", cosmian: "Enterprise-grade" } { feature: "Performance", sops: "Bash/Go", cosmian: "Rust optimizado" } { feature: "Zero-knowledge", sops: "No", cosmian: "Sí" } { feature: "HSM support", sops: "No", cosmian: "Sí" } { feature: "Multi-tenant", sops: "No", cosmian: "Sí" } ] print ($comparison | table) # Demo de integración print "\n6️⃣ Integración seamless:" print "$ provisioning generate infra --new secure-app --kms-encryption" print "✅ Infraestructura generada con Cosmian KMS habilitado" print "✅ Todos los secretos automáticamente encriptados" print "✅ Rotación programada configurada" print "\n🎯 Demo Cosmian KMS completada!" print "⭐ Ventajas demostradas:" print " - Setup declarativo vs manual" print " - Rotación automática vs manual" print " - Audit logs completos vs ninguno" print " - Zero-knowledge encryption" print " - Performance Rust vs scripts bash" print " - Enterprise compliance ready" print "\n💡 ¿Cuándo usar cada uno?" print "📋 SOPS/Age: Proyectos pequeños, equipos técnicos, no compliance" print "🏢 Cosmian KMS: Empresas, compliance necesario, equipos grandes" print "\n🔧 Para probar Cosmian KMS:" print "1. docker run -p 9998:9998 cosmian/kms" print "2. Configurar KCL con server_url local" print "3. provisioning sops test-secrets.yaml"