Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
HashiCorp Vault
Search
Heraud Kevin
July 06, 2017
Technology
20
0
Share
HashiCorp Vault
Heraud Kevin
July 06, 2017
More Decks by Heraud Kevin
See All by Heraud Kevin
WebAssembly
aicfr
0
42
Cross Browser Testing
aicfr
0
22
Certificate pinning
aicfr
0
43
Frida : Dynamic instrumentation toolkit
aicfr
0
21
GraphQL
aicfr
0
11
Serverless
aicfr
0
15
Hyperledger Composer
aicfr
0
15
HashiCorp Consul
aicfr
0
17
CDI
aicfr
0
26
Other Decks in Technology
See All in Technology
独断と偏見で試してみる、 シングル or マルチエージェント どっちがいいの?
shichijoyuhi
1
110
基盤を育てる 外部SaaS連携の運用
gamonges_dresscode
1
120
レビューしきれない?それは「全て人力でのレビュー」だからではないでしょうか
amixedcolor
0
340
Keeping Ruby Running on Cygwin
fd0
0
170
スクラムの中で AI-DLC workflow を 使い始めて3ヶ月の振り返り
kaminashi
0
110
エージェントスキルを作って自分のインプットに役立てよう
tsubakimoto_s
0
420
Oracle AI Database@AWS:サービス概要のご紹介
oracle4engineer
PRO
4
2.4k
MLOps導入のための組織作りの第一歩
akasan
0
340
AIコーディング時代における、ソフトウェアサプライチェーン攻撃に対する防衛術(簡易版)
soysoysoyb
0
110
[OAWTT26][THR1028] Oracle AI Database 26ai へのアップグレード:ベストプラクティスと最新情報
oracle4engineer
PRO
1
110
20260428_Product Management Summit_Loglass_JoeHirose
loglassjoe
2
2.8k
プラットフォームエンジニアリングの実践 - AWS コンテナサービスで構築する社内プラットフォーム / AWS Containers Platform Meetup #1
literalice
1
210
Featured
See All Featured
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
addyosmani
10
1.1k
Keith and Marios Guide to Fast Websites
keithpitt
413
23k
How to build an LLM SEO readiness audit: a practical framework
nmsamuel
1
720
Jess Joyce - The Pitfalls of Following Frameworks
techseoconnect
PRO
1
140
Why You Should Never Use an ORM
jnunemaker
PRO
61
9.8k
世界の人気アプリ100個を分析して見えたペイウォール設計の心得
akihiro_kokubo
PRO
69
39k
Paper Plane
katiecoart
PRO
1
49k
Pawsitive SEO: Lessons from My Dog (and Many Mistakes) on Thriving as a Consultant in the Age of AI
davidcarrasco
0
120
Design in an AI World
tapps
1
200
Into the Great Unknown - MozCon
thekraken
41
2.4k
Side Projects
sachag
455
43k
New Earth Scene 8
popppiees
3
2.1k
Transcript
A Tool for Managing Secrets
Provision, secure, and run any infrastructure for any application.
DB Credentials (MySQL, Hazelcast) Keystore password (P12, JKS) Keystore (private
key) Acces Keys (Tokenizer, OAuth2) Encryption Keys (AES) …
None
None
Secret Backends Storage Backends Auth Backends Audit Backends Telemetery
Les secrets dans une application • Où sont-ils stockés ?
– Fichiers « properties » – BDD – … • Comment gérer leurs cycles de vie ? – Renouvellement – Bail – Révocation – … • Qui doit les gérer ? • Comment mon application y accède ?
Les enjeux liés à Vault • Unseal/seal • Authentification (token,
login/passwd, github, …) • Génération des « unseal keys » – Shamir's Secret Sharing – PGP / Keybase.io – ? • Gestion des « Policy » • Génération des « tokens » utilisateurs • Wrap/unwrap • HSM (premium) • … Shamir's Secret Sharing
Comment accéder à Vault ? • CLI • HTTP API
• envconsul/consul-template • Ansible, Chef, … • docker-volume-libsecret • Client – Java, Spring Cloud, Scala – Go – Python – …
mount generic
$ vault write secret/app/key iauth.key_iauth=a8Y3IHgVCoj7AmUA Success! Data written to: secret/app/key
--- $ vault read secret/app/key iauth.key_iauth a8Y3IHgVCoj7AmUA --- $ vault read -wrap-ttl=10m secret/app/key wrapping_token: 19f11fee-c184-b218-6595-f58e87cad175 --- $ vault unwrap 19f11fee-c184-b218-6595-f58e87cad175 iauth.key_iauth a8Y3IHgVCoj7AmUA
None
mount mysql deprecated mount database beta Dynamic secrets or secrets
on-demand
Combien de fois change-t-on le mot de passe d’une base
de données dans la vie d’une application ?
None
mount pki
ITA Root CA ITA Intermediate CA vault.ita.rocks PKI = Ensemble
de composants physiques, de procédures et d’application en vue de gérer le cycle de vie des certificats
None
#MAUVAISEFOI
None
OpenSSL> openssl req -new -config etc/root-ca.conf -out ca/root- ca.csr -keyout
ca/root-ca/private/root-ca.key openssl ca -selfsign -config etc/root-ca.conf -in ca/root- ca.csr -out ca/root-ca.crt -extensions root_ca_ext openssl req -new -config etc/signing-ca.conf -out ca/signing-ca.csr -keyout ca/signing-ca/private/signing- ca.key openssl ca -config etc/root-ca.conf -in ca/signing-ca.csr - out ca/signing-ca.crt -extensions signing_ca_ext openssl req -new -config etc/server.conf -out certs/simple.org.csr -keyout certs/simple.org.key openssl ca -config etc/signing-ca.conf -in certs/simple.org.csr -out certs/simple.org.crt -extensions server_ext
KeyStore Explorer google/easypki keytool
None
HTTP API • Gestion des AC • Gestion des rôles
: – DN – TTL – Ext / Key usage (server auth, client auth, code signing, email protection, digital signature, data encipherment, …) – … • Gestion du cycle de vie des certificats • Gestion de la CRL
None
mount transit CaaS : Cryptography as a service
Gestion des clés (aes, ecdsa, eddsa) Chiffrement / Déchiffrement Génération
d’aléas Génération de hash (SHA256, SHA512, …) Génération de HMAC Signature / Validation
$ vault write -f transit/keys/foo Success! Data written to: transit/keys/foo
--- echo -n "LTDJ #70 : Vault" | base64 | vault write transit/encrypt/foo plaintext=- ciphertext vault:v1:N2BO36PLZ3…Beyt/LEj2MLo= --- vault write transit/decrypt/foo ciphertext=vault:v1:N2BO36PLZ3…Beyt/LEj2MLo= plaintext TFRESiAjNzAgOiBWYXVsdA== --- echo "TFRESiAjNzAgOiBWYXVsdA==" | base64 -d LTDJ #70 : Vault
Alternatives • Keywhiz (square) • Conjur • Docker secrets (swarm)
• Kubernetes secrets • AWS Key Management Service • Cloud Key Management (Google Cloud Plateform) • Azure Key Vault • …
AVANT JE STOCKAIS MES MOTS DE PASSE EN CLAIR
aicfr
shichijoyuhi
gamonges_dresscode
amixedcolor
fd0
kaminashi
tsubakimoto_s
oracle4engineer
akasan
soysoysoyb
loglassjoe
literalice
addyosmani
keithpitt
nmsamuel
techseoconnect
jnunemaker
akihiro_kokubo
katiecoart
davidcarrasco
tapps
thekraken
sachag
popppiees
