23. Jan 2024

Security 101 - sharing information without creating vulnerabilities

Confidential information represents a nonnegligible part of communication in every software company on the planet. Sharing it is regularly mishandled and more often than not takes form of a simple chat message or an email. Data is dispatched in bulk, with unnecessarily added notes and clues to its usage or source. Let's fix all of that. With Safe.

Andrej OnufrákDevOps Engineer

What is Safe?

Safe is a temporary data storage and sharing solution, that started its life as a fairly straightforward tool internally called "DevOps Secret Share". It was thrown together in a single night after a workshop, where information sharing came up as a topic of interest. The continous issue of safely distributing data among coworkers, ranging from user credentials to keys and certificates is no modest task. We inspected all aspects of this communcation route and determined that most frequently, people just need to dispense small chunks of information quickly and be able to forget about it even quicker.

DevOps Secret Share, which with a little polish and love became Safe, provided means to do exactly that. And a little more.

How does Safe work?

Safe has two parts, really. An input and an output channel.

Users stash confidential information into it, defining how many times can the data be read and for how long should it be accessible. Safe then consumes this data and generates a Safe link with a Universal Unique Identifier (UUID) representing the key to their data.

This link is later distributed over a secure channel as required. Opening the link depletes the view count and if one drops to zero, Safe early terminates the information lifetime.

With a little UI magic (dropdowns, so cool!) we can softly enforce a low number of allowed views together with rather limited lifetime options, further enhancing the overall security.

So, how is Safe build?

Safe is a truly tiny and lightweight app, build mainly on a blazingly fast backend combining Bun.js and Redis. This allows the app to not only start up fast, but work fast as well.

The entire frontend consists of only three HTML files served natively with Bun. One for the landing page, one for viewing the data and one more for informing the user that what is being looked for is Gone - for good.

Since information inside Redis is kept as non-persistent, the data stays stashed, but off disk.

What do I do with all this?

Well, lucky you. Safe became an Open Source Software project a little while ago and with some time, can become yours to tinker with as well.

Safe is, as of the time we are publishing this post, available on the GoodRequest DockerHub account.

If you feel extra adventurous, head over to our GitHub account, fork Safe, add, replace or remove whatever you deem necessary and start using it on your own terms!

In its most uncomplicated form, running Safe requires a place to host, a domain and a plain old Docker Compose stack. Here's one that should suffice:

version: '3'

services:
  redis:
    image: redis

  safe:
    image: goodrequestcom/safe:v1.0.0
    depends_on:
      - redis

  nginx:
    image: nginx
    ...
    depends_on:
      - safe

Do not forget to keep the Redis storage transient - that is half the magic after all. NGINX can be configured as a simple reverse proxy with the help of a nginx.conf file and a set of SSL certificates. Map the domain to your hosting solution and voila, you can be Safe as well!

Well, that was Safe. Our first, humble addition to the endless world of software development tooling available online. Feel free to reach out over any channel available and leave some feedback, so we can improve everything we do and share it with the world. Thank you!

Andrej OnufrákDevOps Engineer