Upgrade to Pro — share decks privately, control downloads, hide ads and more …

HashiCorp Vault

Heraud Kevin
July 06, 2017
Technology
0
15

HashiCorp Vault

Heraud Kevin

July 06, 2017
Tweet

More Decks by Heraud Kevin

See All by Heraud Kevin
WebAssembly
aicfr
0
38
Cross Browser Testing
aicfr
0
15
Certificate pinning
aicfr
0
37
Frida : Dynamic instrumentation toolkit
aicfr
0
16
GraphQL
aicfr
0
6
Serverless
aicfr
0
10
Hyperledger Composer
aicfr
0
12
HashiCorp Consul
aicfr
0
13
CDI
aicfr
0
23

Other Decks in Technology

See All in Technology
うまくいく! を実現するための質問力 / It works! The Power of Questions to Make It Happen
bitkey
PRO
1
200
IVRyエンジニア忘年LT大会2024 クリティカルユーザージャーニーの整理
abnoumaru
0
140
kargoの魅力について伝える
magisystem0408
0
110
ABEMA スマートテレビアプリケーションのパフォーマンス改善 〜業界トップクラスを目指して〜 / Performance Improvements on ABEMA Smart TV App
nodaguti
0
250
データパイプラインをなんとかした話 / Improving the Data Pipeline in IVRy
mirakui
0
230
Ruby on Browser - RubyWorld Conference 2024
tmtms
1
120
AIのコンプラは何故しんどい?
shujisado
1
110
問題を認識して解決できる人は何でもできる
i999rri
0
120
WernerVogelsのKeynoteで語られた6つの教訓とOps
hatahata021
1
210
B10-ひと目でわかる(といいなぁ)Microsoft Purview
seafay
PRO
0
660
プロダクトの爆速開発を支える、 「作らない・削る・尖らせる」技術
applism118
10
9.3k
tokyo_re_Growth2024_yoshi
yoshi22
0
120

Featured

See All Featured
The Straight Up "How To Draw Better" Workshop
denniskardys
232
140k
A Philosophy of Restraint
colly
203
16k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k
The Cost Of JavaScript in 2023
addyosmani
45
6.9k
Large-scale JavaScript Application Architecture
addyosmani
510
110k
How STYLIGHT went responsive
nonsquared
95
5.2k
A Tale of Four Properties
chriscoyier
157
23k
jQuery: Nuts, Bolts and Bling
dougneiner
61
7.5k
Optimising Largest Contentful Paint
csswizardry
33
3k
Mobile First: as difficult as doing things right
swwweet
222
8.9k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
229
52k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
26
1.4k

Transcript

  1. A Tool for Managing Secrets

  2. Provision, secure, and run any infrastructure for any application.

  3. DB Credentials (MySQL, Hazelcast) Keystore password (P12, JKS) Keystore (private

    key) Acces Keys (Tokenizer, OAuth2) Encryption Keys (AES) …
  4. None
  5. None

  6. Secret Backends Storage Backends Auth Backends Audit Backends Telemetery

  7. Les secrets dans une application • Où sont-ils stockés ?

    – Fichiers « properties » – BDD – … • Comment gérer leurs cycles de vie ? – Renouvellement – Bail – Révocation – … • Qui doit les gérer ? • Comment mon application y accède ?

  8. Les enjeux liés à Vault • Unseal/seal • Authentification (token,

    login/passwd, github, …) • Génération des « unseal keys » – Shamir's Secret Sharing – PGP / Keybase.io – ? • Gestion des « Policy » • Génération des « tokens » utilisateurs • Wrap/unwrap • HSM (premium) • … Shamir's Secret Sharing

  9. Comment accéder à Vault ? • CLI • HTTP API

    • envconsul/consul-template • Ansible, Chef, … • docker-volume-libsecret • Client – Java, Spring Cloud, Scala – Go – Python – …

  10. mount generic

  11. $ vault write secret/app/key iauth.key_iauth=a8Y3IHgVCoj7AmUA Success! Data written to: secret/app/key

    --- $ vault read secret/app/key iauth.key_iauth a8Y3IHgVCoj7AmUA --- $ vault read -wrap-ttl=10m secret/app/key wrapping_token: 19f11fee-c184-b218-6595-f58e87cad175 --- $ vault unwrap 19f11fee-c184-b218-6595-f58e87cad175 iauth.key_iauth a8Y3IHgVCoj7AmUA
  12. None

  13. mount mysql deprecated mount database beta Dynamic secrets or secrets

    on-demand

  14. Combien de fois change-t-on le mot de passe d’une base

    de données dans la vie d’une application ?
  15. None

  16. mount pki

  17. ITA Root CA ITA Intermediate CA vault.ita.rocks PKI = Ensemble

    de composants physiques, de procédures et d’application en vue de gérer le cycle de vie des certificats
  18. None

  19. #MAUVAISEFOI

  20. None

  21. OpenSSL> openssl req -new -config etc/root-ca.conf -out ca/root- ca.csr -keyout

    ca/root-ca/private/root-ca.key openssl ca -selfsign -config etc/root-ca.conf -in ca/root- ca.csr -out ca/root-ca.crt -extensions root_ca_ext openssl req -new -config etc/signing-ca.conf -out ca/signing-ca.csr -keyout ca/signing-ca/private/signing- ca.key openssl ca -config etc/root-ca.conf -in ca/signing-ca.csr - out ca/signing-ca.crt -extensions signing_ca_ext openssl req -new -config etc/server.conf -out certs/simple.org.csr -keyout certs/simple.org.key openssl ca -config etc/signing-ca.conf -in certs/simple.org.csr -out certs/simple.org.crt -extensions server_ext

  22. KeyStore Explorer google/easypki keytool

  23. None

  24. HTTP API • Gestion des AC • Gestion des rôles

    : – DN – TTL – Ext / Key usage (server auth, client auth, code signing, email protection, digital signature, data encipherment, …) – … • Gestion du cycle de vie des certificats • Gestion de la CRL
  25. None

  26. mount transit CaaS : Cryptography as a service

  27. Gestion des clés (aes, ecdsa, eddsa) Chiffrement / Déchiffrement Génération

    d’aléas Génération de hash (SHA256, SHA512, …) Génération de HMAC Signature / Validation

  28. $ vault write -f transit/keys/foo Success! Data written to: transit/keys/foo

    --- echo -n "LTDJ #70 : Vault" | base64 | vault write transit/encrypt/foo plaintext=- ciphertext vault:v1:N2BO36PLZ3…Beyt/LEj2MLo= --- vault write transit/decrypt/foo ciphertext=vault:v1:N2BO36PLZ3…Beyt/LEj2MLo= plaintext TFRESiAjNzAgOiBWYXVsdA== --- echo "TFRESiAjNzAgOiBWYXVsdA==" | base64 -d LTDJ #70 : Vault

  29. Alternatives • Keywhiz (square) • Conjur • Docker secrets (swarm)

    • Kubernetes secrets • AWS Key Management Service • Cloud Key Management (Google Cloud Plateform) • Azure Key Vault • …

  30. AVANT JE STOCKAIS MES MOTS DE PASSE EN CLAIR