Skip to content

Track 08 — Cryptography, PKI & Secrets

The trust layer of everything. Go beyond the Foundations primer into applied cryptography, PKI, secrets management, and email authentication — and how to audit them.

What you'll be able to do

  • Choose and use the right primitive, and recognise when one is misused.
  • Run and reason about TLS and a certificate chain end to end.
  • Manage secrets properly and hunt for leaked ones.
  • Audit email authentication and applied-crypto failures.

Modules

# Module What you'll learn OSS tools
01 Primitives in Practice What each guarantees — and doesn't openssl
02 Symmetric & AEAD AES, modes, and authenticated encryption openssl
03 Asymmetric & Key Exchange RSA/EC, Diffie-Hellman, key agreement openssl
04 Hashing, MACs & Passwords Integrity, HMAC, and password storage openssl, argon2
05 TLS Deep Dive The handshake, ciphers, and inspection openssl, testssl.sh
06 PKI & Certificate Management CAs, chains, revocation, and issuance step-ca, openssl
07 Secrets Management Storing and brokering secrets properly vault, sops
08 Secret Detection & Leakage Finding credentials in code and history gitleaks, trufflehog
09 Email Authentication SPF, DKIM, and DMARC in practice dig, openssl
10 Auditing Applied-Crypto Failures Spotting the real-world mistakes testssl.sh
11 Post-Quantum & Crypto-Agility Migration Migrating to hybrid PQC key exchange, proven by handshake capture openssl 3.5, oqs-provider
12 Choosing Your Crypto: an ADR Making and documenting a defensible crypto decision openssl

Phases & projects

The twelve modules run in four phases; each ends in a project that integrates its modules (a phase is the substantial, standalone unit — a single module is a few hours).

  • Phase 1 · Primitives in your hands (01–04) — Project: a small, tested crypto toolkit that exercises each primitive correctly — AEAD encrypt/decrypt, a key exchange, an HMAC, and password hashing with argon2 — plus a written note on the misuse each one invites (ECB, nonce reuse, fast hashes for passwords).
  • Phase 2 · TLS & PKI (05–06) — Project: run a private CA with step-ca, issue and chain a certificate, stand up a TLS service, then scan it with testssl.sh and explain every handshake step and cipher decision the scan reports.
  • Phase 3 · Secrets & applied audit (07–10) — Project: the track capstone — audit a small system's full crypto posture (TLS config, cert hygiene, secrets handling, SPF/DKIM/DMARC), hunt for leaked credentials, fix each finding, and re-test — delivering the before/after audit report.
  • Phase 4 · Migration & decisions (11–12) — Project: migrate a service to hybrid post-quantum key exchange and prove it with before/after handshake captures, then write the architecture decision record (ADR) that justifies each crypto choice against current standards.

Prerequisites

Complete Track 00 — Foundations (module 09 — Cryptography Basics).

Capstone

Audit a small system's crypto posture: TLS configuration, certificate hygiene, secrets handling, and SPF/DKIM/DMARC — then fix each finding and re-test. Deliverable: the audit report with before/after evidence.

The starter scaffold and acceptance checks live in plaintext-labs/cryptography/capstone/.

Capstone rubric

Audit the whole crypto posture, fix each finding, and re-test to prove the fix. Proficient is the bar to ship.

Dimension Developing Proficient Exemplary
TLS configuration Ran testssl.sh, didn't interpret Weak protocols/ciphers identified and explained, with the standard each violates Re-tested after the fix; cites RFC 8446 / current NIST guidance for each decision
Certificate hygiene Checked expiry only Chain, key strength, SAN, and revocation reviewed against RFC 5280 Issuance/renewal automated (step-ca/ACME); short-lived certs or rotation demonstrated
Secrets handling Found a secret, no remediation Leaked/poorly-stored secrets found and moved to proper storage (Vault/SOPS) History scrubbed, rotation done, detection wired to prevent recurrence
Email auth Checked one of SPF/DKIM/DMARC SPF, DKIM, and DMARC all assessed with the policy gaps named Recommends an enforce-mode rollout path with the risk of each step
Audit report Findings without before/after Each finding has evidence, a fix, and a re-test proving it Severity-ranked, tool output attached, no "trust me" — every claim has a test behind it

AI & automation

Crypto is where confident-but-wrong AI advice is dangerous — models suggest broken modes and deprecated ciphers. Use AI to explain and to draft audit tooling, then verify every recommendation against current standards and the actual configuration. Trust the test output, not the model's assurance.

Standards & further reading

  • RFC 8446 (TLS 1.3) and RFC 5280 (X.509/PKI)
  • NIST SP 800-175B and SP 800-57 (key management)
  • RFCs 7208/6376/7489 (SPF/DKIM/DMARC)
  • OWASP Cryptographic Storage Cheat Sheet

Comments

Sign in with GitHub to comment. Choose the type: Feedback (errors or suggestions on this page) · Hints (help for fellow learners — no spoilers) · General (anything else).