provisioning-outreach/presentations/rust-laspalmas-250926/demos/03-cosmian-kms.nu

175 lines
No EOL
5.7 KiB
Text
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#!/usr/bin/env nu
# Demo 3: Cosmian KMS vs SOPS/Age - Rust Meetup 2025
# Comparación entre gestión de secretos tradicional y empresarial
print "🔐 Demo 3: Cosmian KMS vs SOPS/Age"
print "=================================="
# Parte 1: SOPS/Age (Método tradicional)
print "\n📦 Parte 1: Método tradicional con SOPS/Age"
print "============================================"
print "\n1⃣ Setup SOPS/Age (manual y propenso a errores):"
print "$ age-keygen -o ~/.age/key.txt"
print "$ export SOPS_AGE_KEY_FILE=~/.age/key.txt"
print "$ export SOPS_AGE_RECIPIENTS=age1..."
# Simular archivo de secretos
print "\n2⃣ Archivo original (sin encriptar):"
let secrets_plain = {
database: {
username: "admin"
password: "super-secret-password"
host: "db.internal.com"
port: 5432
}
api_keys: {
openai: "sk-proj-..."
aws_access: "AKIA..."
aws_secret: "wJalrXUtn..."
}
}
print ($secrets_plain | to yaml)
print "\n3⃣ Encriptar con SOPS:"
print "$ sops -e -i secrets.yaml"
print "Resultado: Archivo completamente ilegible, difícil de gestionar"
print "\n❌ Problemas con SOPS/Age:"
print " - Setup manual complejo"
print " - Gestión de claves manual"
print " - Sin rotación automática"
print " - Sin audit logs"
print " - Colaboración difícil"
print " - Sin compliance empresarial"
# Parte 2: Cosmian KMS (Solución Rust empresarial)
print "\n\n🦀 Parte 2: Cosmian KMS (Rust-powered enterprise)"
print "================================================"
print "\n1⃣ Configuración en KCL (declarativa):"
let kms_config = {
secret_provider: {
provider: "kms"
kms_config: {
server_url: "https://kms.company.com"
auth_method: "certificate"
client_cert_path: "/certs/provisioning.pem"
client_key_path: "/certs/provisioning.key"
ca_cert_path: "/certs/ca.pem"
timeout: 30
verify_ssl: true
}
}
}
print ($kms_config | to yaml)
print "\n2⃣ Uso natural en el sistema:"
print "$ provisioning sops secrets.yaml"
print "✅ Encriptación automática con Cosmian KMS"
print "✅ Claves gestionadas centralmente"
print "✅ Audit logs automáticos"
# Demostrar rotación automática
print "\n3⃣ Rotación automática de secretos:"
print "$ provisioning taskserv update secrets --rotate-keys"
print "🔄 Rotando claves..."
sleep 2sec
let rotation_result = {
status: "success"
rotated_keys: [
{ name: "database.password", old_version: "v1", new_version: "v2" }
{ name: "api_keys.aws_secret", old_version: "v3", new_version: "v4" }
]
audit_entry: "audit-2025-01-13-14:30:42-rotation-success"
next_rotation: "2025-02-13T14:30:42Z"
}
print ($rotation_result | to json)
# Mostrar audit logs
print "\n4⃣ Audit logs empresariales:"
print "$ provisioning show audit --filter secrets --last 24h"
let audit_logs = [
{
timestamp: "2025-01-13T14:30:42Z"
action: "key_rotation"
user: "provisioning-system"
resource: "database.password"
result: "success"
ip: "10.0.1.100"
}
{
timestamp: "2025-01-13T09:15:23Z"
action: "secret_access"
user: "deployment-pipeline"
resource: "api_keys.aws_secret"
result: "success"
ip: "10.0.2.50"
}
{
timestamp: "2025-01-13T08:45:12Z"
action: "secret_decrypt"
user: "provisioning-system"
resource: "database.password"
result: "success"
ip: "10.0.1.100"
}
]
print ($audit_logs | table)
# Demostrar zero-knowledge encryption
print "\n5⃣ Zero-knowledge encryption:"
print "🔒 Cosmian KMS nunca ve los datos sin encriptar"
print "🔑 Claves gestionadas por hardware security modules (HSM)"
print "🛡️ Compliance: FIPS 140-2, Common Criteria, GDPR"
# Comparación lado a lado
print "\n📊 Comparación SOPS/Age vs Cosmian KMS:"
print "======================================="
let comparison = [
{ feature: "Setup", sops: "Manual complejo", cosmian: "Configuración declarativa" }
{ feature: "Gestión de claves", sops: "Manual", cosmian: "Automática centralizada" }
{ feature: "Rotación", sops: "Manual", cosmian: "Automática programada" }
{ feature: "Audit logs", sops: "No", cosmian: "Completos con timestamps" }
{ feature: "Colaboración", sops: "Difícil", cosmian: "Roles y permisos" }
{ feature: "Compliance", sops: "Básico", cosmian: "Enterprise-grade" }
{ feature: "Performance", sops: "Bash/Go", cosmian: "Rust optimizado" }
{ feature: "Zero-knowledge", sops: "No", cosmian: "Sí" }
{ feature: "HSM support", sops: "No", cosmian: "Sí" }
{ feature: "Multi-tenant", sops: "No", cosmian: "Sí" }
]
print ($comparison | table)
# Demo de integración
print "\n6⃣ Integración seamless:"
print "$ provisioning generate infra --new secure-app --kms-encryption"
print "✅ Infraestructura generada con Cosmian KMS habilitado"
print "✅ Todos los secretos automáticamente encriptados"
print "✅ Rotación programada configurada"
print "\n🎯 Demo Cosmian KMS completada!"
print "⭐ Ventajas demostradas:"
print " - Setup declarativo vs manual"
print " - Rotación automática vs manual"
print " - Audit logs completos vs ninguno"
print " - Zero-knowledge encryption"
print " - Performance Rust vs scripts bash"
print " - Enterprise compliance ready"
print "\n💡 ¿Cuándo usar cada uno?"
print "📋 SOPS/Age: Proyectos pequeños, equipos técnicos, no compliance"
print "🏢 Cosmian KMS: Empresas, compliance necesario, equipos grandes"
print "\n🔧 Para probar Cosmian KMS:"
print "1. docker run -p 9998:9998 cosmian/kms"
print "2. Configurar KCL con server_url local"
print "3. provisioning sops test-secrets.yaml"