- You have an accessible MongoDB deployment already running and accessible (self-managed or in Atlas)
- You have the modern MongoDB Shell (
mongosh) installed locally on your workstation - You have a KMIP Server running and accessible, if you don't intend to use a local keyfile (for an example of running and configuring a Hashicorp Vault development instance, see: Hashicorp Vault Configuration For MongoDB KMIP Use)
Kenn White kennwhite
kennwhite
/ mongodb-csfle-example-kmip-or-local-key.md
Created
April 18, 2022 20:51
— forked from pkdone/mongodb-csfle-example-kmip-or-local-key.md
MongoDB CSFLE example using mongosh with a master key sourced from KMIP or a local file
kennwhite
/ alpine_password.sh
Last active
December 5, 2024 14:23
Non-interactive user create & password change for Alpine Linux
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #! /usr/bin/env sh | |
| # Create unprivileged Alpine linux user. Run this script as root/sudo | |
| # Don't prompt for password and make group same as username, default path & shell | |
| adduser -D -g appuser appuser | |
| # Set a decent random password (aiming for a 256 bit security level, but better than "monkey") | |
| PW=$(head -c 32 /dev/urandom | base64) && echo -e "$PW\n$PW" | passwd appuser && unset PW |
kennwhite
/ alpine_libmongocrypt_build.sh
Last active
March 23, 2022 13:01
Simple MongoDB client-side field level encryption (libmongocrypt) demo on Alpine Linux with .NET
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # WARNING: This is a demonstration only, not any kind of official build - use at your own risk | |
| # Launched standard Alpine Linux AMI on an t2.micro instance configured w/ 8GB: | |
| # alpine-3.15.1-x86_64-bios-cloudinit-r0 - ami-0421638898b821bff | |
| # | |
| # ssh -i mykey.pem alpine@[instance address] | |
| # This demo runs as default non-root "alpine" user |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| Demonstration of AEAD_AES_256_CBC_HMAC_SHA_512, an authenticated encryption with associated | |
| data (AEAD) scheme using a composition of AES in the CBC mode of operation with an | |
| HMAC-SHA512 message authentication code, an Encrypt-Then-MAC construction. | |
| From IETF draft spec by McGrew, Foley, & Paterson: | |
| https://datatracker.ietf.org/doc/html/draft-mcgrew-aead-aes-cbc-hmac-sha2-05#section-2.7 | |
| Disclaimer: | |
| This is strictly a proof of concept personal project and has not had any proper cryptography review. | |
| Do not use for anything even vaguely important. |
kennwhite
/ cryptopapers.md
Created
July 30, 2021 19:07
Not many papers share a critical view of the cryptography field, and when such papers are published they tend to be dismissed as "extreme opinions". But not talking about potential deficiencies is harmful for everyone on the long run, even if many actors' self-interest is the status quo (example: USSR). So here's a list of crypto papers and essays not purely technical, sometimes called "controverial", in arbitrary order (please send suggestions of missing entries):
Rogaway - The moral character of cryptographic work - https://web.cs.ucdavis.edu/~rogaway/papers/moral.pdf
Bernstein - Non-uniform cracks in the concrete: the power of free precomputation - http://cr.yp.to/nonuniform/nonuniform-20130914.pdf
kennwhite
/ FIPS-Modules-In-Process.md
Last active
May 24, 2021 03:57
FIPS Modules In Process (as of Apr 9, 2021)
From: https://csrc.nist.gov/projects/cryptographic-module-validation-program/modules-in-process/modules-in-process-list Snapshot as of Apr 9, 2021
| Module Name | Vendor Name | Standard | Status |
|---|---|---|---|
| Thunder Series TH-3040S, TH-5440S, TH-5840S and TH-7440S-11 | A10 Networks, Inc. | FIPS 140-2 | In Review |
| ADVA 10TCE-PCN-16GU+AES100G-F encryption module | ADVA Optical Networking SE | FIPS 140-2 | Review Pending |
| ADVA 9TCE-PCN-10GU+AES10G-F encryption module | ADVA Optical Networking SE | FIPS 140-2 | Review Pending |
| WCC-PCN-AES100GB-F Encryption Module | ADVA Optical Networking SE | FIPS 140-2 | Coordination |
Joshua Weissman's General Tso's Chicken
Chicken:
- 1.5 lbs (700g) boneless skinless chicken thighs cut into pieces
- 1 TB (14g) shaoxing wine
- 1 TB (14g) soy sauce
- pinch of salt
- 2 cloves garlic mined
- 1 inch knob ginger minced
- 1/2 cup (75g) all purpose flour
kennwhite
/ lxc_v4_notes_feb-2021.txt
Last active
October 23, 2021 17:46
LXC v4 notes (2/2021) for Ubuntu
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Good tips here: https://www.cyberciti.biz/faq/install-lxd-on-ubuntu-20-04-lts-using-apt/ | |
| # List all running services | |
| systemctl list-units --all --type=service --no-pager | grep running | |
| # Clean install of lxc (on host) - first lxd system, then lxc command line tools | |
| sudo apt-get update | |
| sudo apt-get upgrade | |
| sudo apt install lxd | |
| sudo adduser YOURUSERID lxd # (probably already there) |
kennwhite
/ hello_world_shell_local_per_user.js
Last active
February 15, 2021 18:15
Basic FLE hello world with shell, demonstrating per-user keys (json pointers)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| Simple demonstration using MongoDB Client-Side Field Level Encryption (local key version) | |
| using json pointer for per-user/per-document dynamic key selection | |
| This pattern might be useful for Right to Be Forgotten GDPR use case. | |
| Note: FLE schemas with json pointer dynamic key IDs require randomized mode and automatic encryption | |
| Decryption -- whether randomized or deterministic -- is always automatic, assuming the data key is available/cached. | |
| If deterministic (searchable) mode is required, consider dynamic user key selection | |
| at the app level via explicit encryption methods (versus automatic), e.g.: |
kennwhite
/ Gatekeeper Exception command line.md
Last active
July 22, 2025 19:28
Bypass MacOS Gatekeeper for specific apps & executables on command line
To override Big Sur's Gatekeeper restriction: "cannot be opened because the developer cannot be verified" from the command line
Example with MongoDB (can be run against a folder e.g., JavaSDK or individual executables):
xattr -d com.apple.quarantine /Users/me/Downloads/mongodb-macos-x86_64-enterprise-4.4.2/bin/*
This appears to be sticky for all identical versions of that executable, i.e., if you have two copies of the identical binary in unrelated directories, removing quarantine for one seems to enter a file signature hash into the allowed list globally.