Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
HashiCorp Vault
Search
Heraud Kevin
July 06, 2017
Technology
24
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
HashiCorp Vault
Heraud Kevin
July 06, 2017
More Decks by Heraud Kevin
See All by Heraud Kevin
WebAssembly
aicfr
0
46
Cross Browser Testing
aicfr
0
25
Certificate pinning
aicfr
0
46
Frida : Dynamic instrumentation toolkit
aicfr
0
25
GraphQL
aicfr
0
14
Serverless
aicfr
0
17
Hyperledger Composer
aicfr
0
17
HashiCorp Consul
aicfr
0
19
CDI
aicfr
0
29
Other Decks in Technology
See All in Technology
AIネイティブな開発のサプライチェーンリスク対策 〜激動の開発現場でリスクに立ち向かう〜【ZennFes】
cscengineer
PRO
2
110
あなたの AI ワークスペースに、 専門コーダーを連れてくる - Amazon Quick Desktop 最新情報
kawaji_scratch
1
130
【Cyber-sec+】経営層を"動かす"ための考え方
hssh2_bin
0
170
攻撃者視点で考えるDetection Engineering
cryptopeg
2
1.6k
気づかぬうちにセキュリティ負債を生むAPIキー運用
sgwrmctk
0
120
連合学習と機密コンピューティング
lycorptech_jp
PRO
0
110
現地で盛り上がった WWDC26 Keynote
zozotech
PRO
1
230
非定型業務をAI slackbotで自動化する ~ 社内要望を自動壁打ちするbotを作った ~/automating-ad-hoc-work-with-ai-slackbot
shibayu36
0
640
AIっぽい文章を採点して人間らしく直すアプリを作ってみた
yama3133
2
140
Disciplined Vibes: Scaling AI-Assisted Engineering
sheharyar
0
140
AIの性能が向上しても未解決な組織の重大問題は何か?/An Unsolved Organizational Problem in the Age of AI
moriyuya
4
650
AWSシリコン最前線 〜AI時代のチップ選択を読み解く〜
htokoyo
2
560
Featured
See All Featured
How to Get Subject Matter Experts Bought In and Actively Contributing to SEO & PR Initiatives.
livdayseo
0
140
Accessibility Awareness
sabderemane
1
140
Exploring anti-patterns in Rails
aemeredith
3
410
Rails Girls Zürich Keynote
gr2m
96
14k
Building Applications with DynamoDB
mza
96
7.1k
Tips & Tricks on How to Get Your First Job In Tech
honzajavorek
1
540
AI: The stuff that nobody shows you
jnunemaker
PRO
8
710
Faster Mobile Websites
deanohume
310
31k
Building a A Zero-Code AI SEO Workflow
portentint
PRO
0
580
Lessons Learnt from Crawling 1000+ Websites
charlesmeaden
PRO
1
1.3k
Unlocking the hidden potential of vector embeddings in international SEO
frankvandijk
0
840
Lightning Talk: Beautiful Slides for Beginners
inesmontani
PRO
2
570
Transcript
A Tool for Managing Secrets
Provision, secure, and run any infrastructure for any application.
DB Credentials (MySQL, Hazelcast) Keystore password (P12, JKS) Keystore (private
key) Acces Keys (Tokenizer, OAuth2) Encryption Keys (AES) …
None
None
Secret Backends Storage Backends Auth Backends Audit Backends Telemetery
Les secrets dans une application • Où sont-ils stockés ?
– Fichiers « properties » – BDD – … • Comment gérer leurs cycles de vie ? – Renouvellement – Bail – Révocation – … • Qui doit les gérer ? • Comment mon application y accède ?
Les enjeux liés à Vault • Unseal/seal • Authentification (token,
login/passwd, github, …) • Génération des « unseal keys » – Shamir's Secret Sharing – PGP / Keybase.io – ? • Gestion des « Policy » • Génération des « tokens » utilisateurs • Wrap/unwrap • HSM (premium) • … Shamir's Secret Sharing
Comment accéder à Vault ? • CLI • HTTP API
• envconsul/consul-template • Ansible, Chef, … • docker-volume-libsecret • Client – Java, Spring Cloud, Scala – Go – Python – …
mount generic
$ vault write secret/app/key iauth.key_iauth=a8Y3IHgVCoj7AmUA Success! Data written to: secret/app/key
--- $ vault read secret/app/key iauth.key_iauth a8Y3IHgVCoj7AmUA --- $ vault read -wrap-ttl=10m secret/app/key wrapping_token: 19f11fee-c184-b218-6595-f58e87cad175 --- $ vault unwrap 19f11fee-c184-b218-6595-f58e87cad175 iauth.key_iauth a8Y3IHgVCoj7AmUA
None
mount mysql deprecated mount database beta Dynamic secrets or secrets
on-demand
Combien de fois change-t-on le mot de passe d’une base
de données dans la vie d’une application ?
None
mount pki
ITA Root CA ITA Intermediate CA vault.ita.rocks PKI = Ensemble
de composants physiques, de procédures et d’application en vue de gérer le cycle de vie des certificats
None
#MAUVAISEFOI
None
OpenSSL> openssl req -new -config etc/root-ca.conf -out ca/root- ca.csr -keyout
ca/root-ca/private/root-ca.key openssl ca -selfsign -config etc/root-ca.conf -in ca/root- ca.csr -out ca/root-ca.crt -extensions root_ca_ext openssl req -new -config etc/signing-ca.conf -out ca/signing-ca.csr -keyout ca/signing-ca/private/signing- ca.key openssl ca -config etc/root-ca.conf -in ca/signing-ca.csr - out ca/signing-ca.crt -extensions signing_ca_ext openssl req -new -config etc/server.conf -out certs/simple.org.csr -keyout certs/simple.org.key openssl ca -config etc/signing-ca.conf -in certs/simple.org.csr -out certs/simple.org.crt -extensions server_ext
KeyStore Explorer google/easypki keytool
None
HTTP API • Gestion des AC • Gestion des rôles
: – DN – TTL – Ext / Key usage (server auth, client auth, code signing, email protection, digital signature, data encipherment, …) – … • Gestion du cycle de vie des certificats • Gestion de la CRL
None
mount transit CaaS : Cryptography as a service
Gestion des clés (aes, ecdsa, eddsa) Chiffrement / Déchiffrement Génération
d’aléas Génération de hash (SHA256, SHA512, …) Génération de HMAC Signature / Validation
$ vault write -f transit/keys/foo Success! Data written to: transit/keys/foo
--- echo -n "LTDJ #70 : Vault" | base64 | vault write transit/encrypt/foo plaintext=- ciphertext vault:v1:N2BO36PLZ3…Beyt/LEj2MLo= --- vault write transit/decrypt/foo ciphertext=vault:v1:N2BO36PLZ3…Beyt/LEj2MLo= plaintext TFRESiAjNzAgOiBWYXVsdA== --- echo "TFRESiAjNzAgOiBWYXVsdA==" | base64 -d LTDJ #70 : Vault
Alternatives • Keywhiz (square) • Conjur • Docker secrets (swarm)
• Kubernetes secrets • AWS Key Management Service • Cloud Key Management (Google Cloud Plateform) • Azure Key Vault • …
AVANT JE STOCKAIS MES MOTS DE PASSE EN CLAIR
aicfr
cscengineer
kawaji_scratch
hssh2_bin
cryptopeg
sgwrmctk
lycorptech_jp
zozotech
shibayu36
yama3133
sheharyar
moriyuya
htokoyo
livdayseo
sabderemane
aemeredith
gr2m
mza
honzajavorek
jnunemaker
deanohume
portentint
charlesmeaden
frankvandijk
inesmontani
