
Torus – A secure, shared workspace for secrets - sr2
https://www.torus.sh/
======
zimbatm
As soon as developers have access to the production credentials it's game
over. Auditability is gone. Passwords end-up being stored in various password
stores and plain files because it's convenient. Developers connect to the
production system and start doing live changes.

Hashicorp Vault is more difficult to put in place but it does the right thing.
With it's custom backend it can generate temporary tokens, for example to
access the database. Those token are short-lived and part of the audit log.

~~~
zie
Hashi Vault isn't that difficult to setup, especially for smaller setups, it's
basically just a binary you run, with the file backend. You still get the
auditing goodness, etc. Otherwise I agree with what else you said.

~~~
zimbatm
Yes Vault isn't that difficult to setup. It's mainly harder because Torus
hosts the backend.

------
TheSwordsman
Looks interesting. I'll definitely take a look at how this compares to
Hashicorp Vault. Definitely getting closer and closer to the point where I can
start to properly utilize a tool like this.

Reading the docs, though, it does seem like it's one legendary AWS outage away
from being a huge problem:

>Torus’s infrastructure has been designed from the ground up for resilience
without any single point of failure. All of our services are autoscaled and
run in multiple availability zones in the us-east-1 region.

~~~
BlackjackCF
:| Yikes.

Maybe it's not a good idea to launch in the default region.

------
tptacek
This does not seem any less complicated than Vault or Keywhiz.

------
momania
How is using an online service as a starting point for security a good thing?

~~~
yellowapple
As long as everything's encrypted on the client-side (and the client's source
code is available for public audit), I don't see any immediate concerns
besides the obvious one of "what happens if Torus goes under?".

It looks like there are plans to open-source the server, though, so that
problem can be solved if you want to host your own Torus deployment (which I'd
likely do for any serious non-personal usage).

~~~
BlackjackCF
Goes under or AWS goes down.

------
wyqydsyq
We've used Torus a fair bit in my team at work, however we're now using
Docker's native secrets solution for our container runtimes as it avoids the
knowledge and build-time overhead of an extra dependency.

I personally found the experience of using Torus to be great. Getting a quick
working setup is easy and it doesn't take much effort to transition from there
to locked down access control. Will likely continue using it outside of the
Docker context.

------
owaislone
I've been using Blackbox and it has been great. It encrypts files directly in
your VCS. We've setup the deploy pipeline to decrypt secret config files and
then deploy to servers.

[https://github.com/StackExchange/blackbox](https://github.com/StackExchange/blackbox)

------
m_sahaf
Looks interesting. I probably need to get my hands dirty to understand how
it's different from Hashicorp's Vault. A quick glance says it's a cloud-based
solution with simpler UX. I see only client binaries and sign-up instructions.
There are no server setup instructions.

~~~
ianl
At Manifold(1), we built Torus from the ground-up to solve a consistent pain
when building cloud apps: securely storing, sharing, and rotating secrets used
to build, run, and deploy code. Our goal is to make it simple for anyone, not
just the security savvy, to keep their secrets out of git and off disk.

To do this, we designed our security model (host and cryptography
architecture) for hosting in the cloud to ensure we never have access to any
of the keys used to encrypt or sign secrets — they’re derived from a user’s
password and never forwarded along. We’ve posted more information in our
documentation(2).

The server is currently closed source, with plans to open source it. The
client (where all cryptographic operations happen) is open source.

1) [https://www.manifold.co/](https://www.manifold.co/) 2)
[https://www.torus.sh/docs/latest/internals/crypto](https://www.torus.sh/docs/latest/internals/crypto)

~~~
tiziano88
Could you highlight differences compared to Vault?

~~~
ianl
At it’s heart, Torus is public-key infrastructure, users/machines derive and
encrypt asymmetric key pairs from their password. These key pairs are then
uploaded and signed by the Torus server using a key endorsed by our root
signing keys (always kept offline in a sealed and secured environment).

This enables Torus to establish a web of trust (much like gpg), allowing
clients to retrieve and validate (by navigating down the web of trust) public
signing and encryption keys for other users or machines. Using these validated
keys, clients can encrypt secrets for each other without ever sending the
secret (or any material used to encrypt it) to the server.

Vault, on the other hand, operates under a centralized encryption model with
all secrets encrypted using keys encrypted by the root master key. For a vault
cluster to boot up, the vault must be unsealed which complicates it’s high
availability story — for a cluster to cold start it must have access to the
master key.

The onus is on operators to properly store, transmit, and leverage the master
key to unseal the vault which requires a certain level of sophistication to do
properly. If the root key were to be lost or compromised, then all of the
secrets would be as well.

Torus uses a decentralized model and builds on-top of the privilege of least
privilege — users and machines only have access to the secrets they require.
Making it far easier to operate as a cloud service (no cold start problem) and
ensure that we never have access to your secrets.

We don’t see Torus as only a security tool, instead, we see it as a
productivity tool by focusing on making it super easy to set, audit, and
rotate secrets when a machine is compromised, developer leaves, or key is
committed to git.

~~~
wst_
> For a vault cluster to boot up, the vault must be unsealed which complicates
> it’s high availability story

It doesn't complicate anything. It just makes it secure.

> If the root key were to be lost or compromised, then all of the secrets
> would be as well.

In Vault, you do not have just a root key. You have it divided, initially in 5
parts 3 of which are needed for unsealing. You can change the numbers. It is
unlikely that all of them goes AWOL.

Plus, Vault is trivial to set up for a small team. Not a bigger effort is
needed to set up a cluster.

I can understand that Torus is your tool of choice, but please do not spread
FUD about Vault at the same time. I have no experience with Torus, yet, but
Vault is a solid piece.

------
OJFord
Very strange navigation behaviour: enabled JS, and then clicking e.g. 'Docs'
modifies the URL in address bar, but requires a manual refresh to actually
load the docs page...

------
skrowl
A shared workspace for secrets as long as none of your friends using Windows,
Android or iOS have secrete to share, apparently.

~~~
yellowapple
There's a Windows version on their download page:
[https://get.torus.sh/](https://get.torus.sh/)

Doesn't solve the lack of mobile support, but hopefully the fact that the
client-side code is already free software (and under a liberal license, to
boot) means that the community can fix that problem if all else fails.

