Upgrade to PRO for Only $50/Year—Limited-Time Offer! 🔥
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
HashiCorp Vault
Search
Heraud Kevin
July 06, 2017
Technology
0
17
HashiCorp Vault
Heraud Kevin
July 06, 2017
Tweet
Share
More Decks by Heraud Kevin
See All by Heraud Kevin
WebAssembly
aicfr
0
40
Cross Browser Testing
aicfr
0
18
Certificate pinning
aicfr
0
40
Frida : Dynamic instrumentation toolkit
aicfr
0
17
GraphQL
aicfr
0
8
Serverless
aicfr
0
12
Hyperledger Composer
aicfr
0
13
HashiCorp Consul
aicfr
0
14
CDI
aicfr
0
24
Other Decks in Technology
See All in Technology
非CUDAの悲哀 〜Claude Code と挑んだ image to 3D “Hunyuan3D”を EVO-X2(Ryzen AI Max+395)で動作させるチャレンジ〜
hawkymisc
2
200
AI駆動開発の実践とその未来
eltociear
0
120
子育てで想像してなかった「見えないダメージ」 / Unforeseen "hidden burdens" of raising children.
pauli
2
220
Kiro Autonomous AgentとKiro Powers の紹介 / kiro-autonomous-agent-and-powers
tomoki10
0
530
たまに起きる外部サービスの障害に備えたり備えなかったりする話
egmc
0
190
Haskell を武器にして挑む競技プログラミング ─ 操作的思考から意味モデル思考へ
naoya
6
1.6k
ExpoのインダストリーブースでみたAWSが見せる製造業の未来
hamadakoji
0
140
re:Invent2025 コンテナ系アップデート振り返り(+CloudWatchログのアップデート紹介)
masukawa
0
390
30分であなたをOmniのファンにしてみせます~分析画面のクリック操作をそのままコード化できるAI-ReadyなBIツール~
sagara
0
180
シニアソフトウェアエンジニアになるためには
kworkdev
PRO
3
170
会社紹介資料 / Sansan Company Profile
sansan33
PRO
11
390k
Database イノベーショントークを振り返る/reinvent-2025-database-innovation-talk-recap
emiki
0
220
Featured
See All Featured
Scaling GitHub
holman
464
140k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
35
2.3k
Java REST API Framework Comparison - PWX 2021
mraible
34
9k
Navigating Team Friction
lara
191
16k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
231
54k
A Tale of Four Properties
chriscoyier
162
23k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
359
30k
Large-scale JavaScript Application Architecture
addyosmani
515
110k
Measuring & Analyzing Core Web Vitals
bluesmoon
9
710
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
162
16k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
234
17k
Making Projects Easy
brettharned
120
6.5k
Transcript
A Tool for Managing Secrets
Provision, secure, and run any infrastructure for any application.
DB Credentials (MySQL, Hazelcast) Keystore password (P12, JKS) Keystore (private
key) Acces Keys (Tokenizer, OAuth2) Encryption Keys (AES) …
None
None
Secret Backends Storage Backends Auth Backends Audit Backends Telemetery
Les secrets dans une application • Où sont-ils stockés ?
– Fichiers « properties » – BDD – … • Comment gérer leurs cycles de vie ? – Renouvellement – Bail – Révocation – … • Qui doit les gérer ? • Comment mon application y accède ?
Les enjeux liés à Vault • Unseal/seal • Authentification (token,
login/passwd, github, …) • Génération des « unseal keys » – Shamir's Secret Sharing – PGP / Keybase.io – ? • Gestion des « Policy » • Génération des « tokens » utilisateurs • Wrap/unwrap • HSM (premium) • … Shamir's Secret Sharing
Comment accéder à Vault ? • CLI • HTTP API
• envconsul/consul-template • Ansible, Chef, … • docker-volume-libsecret • Client – Java, Spring Cloud, Scala – Go – Python – …
mount generic
$ vault write secret/app/key iauth.key_iauth=a8Y3IHgVCoj7AmUA Success! Data written to: secret/app/key
--- $ vault read secret/app/key iauth.key_iauth a8Y3IHgVCoj7AmUA --- $ vault read -wrap-ttl=10m secret/app/key wrapping_token: 19f11fee-c184-b218-6595-f58e87cad175 --- $ vault unwrap 19f11fee-c184-b218-6595-f58e87cad175 iauth.key_iauth a8Y3IHgVCoj7AmUA
None
mount mysql deprecated mount database beta Dynamic secrets or secrets
on-demand
Combien de fois change-t-on le mot de passe d’une base
de données dans la vie d’une application ?
None
mount pki
ITA Root CA ITA Intermediate CA vault.ita.rocks PKI = Ensemble
de composants physiques, de procédures et d’application en vue de gérer le cycle de vie des certificats
None
#MAUVAISEFOI
None
OpenSSL> openssl req -new -config etc/root-ca.conf -out ca/root- ca.csr -keyout
ca/root-ca/private/root-ca.key openssl ca -selfsign -config etc/root-ca.conf -in ca/root- ca.csr -out ca/root-ca.crt -extensions root_ca_ext openssl req -new -config etc/signing-ca.conf -out ca/signing-ca.csr -keyout ca/signing-ca/private/signing- ca.key openssl ca -config etc/root-ca.conf -in ca/signing-ca.csr - out ca/signing-ca.crt -extensions signing_ca_ext openssl req -new -config etc/server.conf -out certs/simple.org.csr -keyout certs/simple.org.key openssl ca -config etc/signing-ca.conf -in certs/simple.org.csr -out certs/simple.org.crt -extensions server_ext
KeyStore Explorer google/easypki keytool
None
HTTP API • Gestion des AC • Gestion des rôles
: – DN – TTL – Ext / Key usage (server auth, client auth, code signing, email protection, digital signature, data encipherment, …) – … • Gestion du cycle de vie des certificats • Gestion de la CRL
None
mount transit CaaS : Cryptography as a service
Gestion des clés (aes, ecdsa, eddsa) Chiffrement / Déchiffrement Génération
d’aléas Génération de hash (SHA256, SHA512, …) Génération de HMAC Signature / Validation
$ vault write -f transit/keys/foo Success! Data written to: transit/keys/foo
--- echo -n "LTDJ #70 : Vault" | base64 | vault write transit/encrypt/foo plaintext=- ciphertext vault:v1:N2BO36PLZ3…Beyt/LEj2MLo= --- vault write transit/decrypt/foo ciphertext=vault:v1:N2BO36PLZ3…Beyt/LEj2MLo= plaintext TFRESiAjNzAgOiBWYXVsdA== --- echo "TFRESiAjNzAgOiBWYXVsdA==" | base64 -d LTDJ #70 : Vault
Alternatives • Keywhiz (square) • Conjur • Docker secrets (swarm)
• Kubernetes secrets • AWS Key Management Service • Cloud Key Management (Google Cloud Plateform) • Azure Key Vault • …
AVANT JE STOCKAIS MES MOTS DE PASSE EN CLAIR
aicfr
hawkymisc
eltociear
pauli
tomoki10
egmc
naoya
hamadakoji
masukawa
sagara
kworkdev
sansan33
emiki
holman
marcduiker
mraible
lara
destraynor
chriscoyier
bermonpainter
addyosmani
bluesmoon
sstephenson
marcelosomers
brettharned
