Introducing Jak: Safely Share Sensitive Files via Git

ShmooCon XIII - 2017

Presented by: Chris DiLorenzo
Date: Friday January 13, 2017
Time: 17:30 - 17:50
Location: Main Room
Track: One Track Mind

Web applications use secret keys to connect to lots of important external things like payment systems, emailers, and virtual machines. Committing these secret keys and other pieces of sensitive information in plaintext to a code repository is a generally Bad Idea™. Instead, developers .gitignore sensitive files, and manually put keys directly onto application servers.

That’s fine, until you need to collaborate with another developer who also needs those keys. Safe key sharing is a challenge we had at Dispel (and every other company we’d worked at). We asked around: people end up using a hodgepodge of tools with pretty variable security—anything from plaintext emails, chat messages, files copied to USB sticks, PGP encryption, and yellow sticky notes.

We thought about it for a while, and came up with Jak.

Jak lets you commit sensitive files into Git, but encrypts them for you as part of the commit hook so only encrypted versions end up in your repository. For the encryption, Jak also automatically generates, updates, and distributes encryption keys based upon whom you’ve given access to your repos. That way another developer can pull down your code and immediately get to work instead of waiting for keys to arrive.

Chris DiLorenzo

Chris DiLorenzo is an Engineering Lead at Dispel. A graduate of Uppsala University (M.Sc.), Chris started his career as a sociotechnical systems engineer and researcher at Saab Aeronautics. Today, he has taken his skills as a software developer and scientist and is applying them toward entrepreneurship: first becoming Chief Technology Officer at prominent New York startup TripleMint and now leading engineering at the cyberdefense firm Dispel. There, he spends most of his time incubating new technology ideas; advising clients, universities, and fellow technologists in developing minimum viable products; and strategizing around encryption, interface design, user experience, and digital platforms.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats