Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
HashiCorp Vault
Search
Sponsored
·
SiteGround - Reliable hosting with speed, security, and support you can count on.
→
Heraud Kevin
July 06, 2017
Technology
21
0
Share
HashiCorp Vault
Heraud Kevin
July 06, 2017
More Decks by Heraud Kevin
See All by Heraud Kevin
WebAssembly
aicfr
0
44
Cross Browser Testing
aicfr
0
23
Certificate pinning
aicfr
0
44
Frida : Dynamic instrumentation toolkit
aicfr
0
23
GraphQL
aicfr
0
13
Serverless
aicfr
0
16
Hyperledger Composer
aicfr
0
16
HashiCorp Consul
aicfr
0
18
CDI
aicfr
0
28
Other Decks in Technology
See All in Technology
可視化から活用へ — Mesh化・Segmentation・アライメントの研究動向
gpuunite_official
0
230
「強制アップデート」か「チームの自律」か?エンタープライズが辿り着いたプラットフォームのハイブリッド運用/cloudnative-kaigi-hybrid-platform-operations
mhrtech
0
210
サプライチェーン攻撃への備えについて考えている #湘なんか
stefafafan
1
800
マンション備え付けのネットワークとLTE回線を組み合わせた ネットワークの安定化の考案
harutiro
1
140
セキュリティ対策、何からはじめる? CloudNative環境の脅威モデリングと リスク評価実践入門 #cloudnativekaigi
varu3
5
1k
Gaussian Splattingの表現力を拡張する — 高周波再構成とインタラクションへのアプローチ —
gpuunite_official
0
190
"スキルファースト"で作る、AIの自走環境
subroh0508
0
610
React Compiler導入の効果と運用の工夫
kakehashi
PRO
3
280
Terragrunt x Snowflake + dbt で作るマルチテナントなデータ基盤構築プラットフォーム
gak_t12
0
470
React Compiler導入から21ヶ月、いま始めるならこうやる
astatsuya
2
270
AIのために、AIを使った、Effect-TSからの脱却 〜テストを活用した安全なリファクタリングの進め方〜
bitkey
PRO
0
120
GCASアップデート(202603-202605)
techniczna
0
220
Featured
See All Featured
Why Our Code Smells
bkeepers
PRO
340
58k
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.7k
How STYLIGHT went responsive
nonsquared
100
6.1k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
46
2.8k
A Tale of Four Properties
chriscoyier
163
24k
Done Done
chrislema
186
16k
The State of eCommerce SEO: How to Win in Today's Products SERPs - #SEOweek
aleyda
2
10k
How to Think Like a Performance Engineer
csswizardry
28
2.6k
Measuring & Analyzing Core Web Vitals
bluesmoon
9
820
Ruling the World: When Life Gets Gamed
codingconduct
0
230
The innovator’s Mindset - Leading Through an Era of Exponential Change - McGill University 2025
jdejongh
PRO
1
170
New Earth Scene 8
popppiees
3
2.2k
Transcript
A Tool for Managing Secrets
Provision, secure, and run any infrastructure for any application.
DB Credentials (MySQL, Hazelcast) Keystore password (P12, JKS) Keystore (private
key) Acces Keys (Tokenizer, OAuth2) Encryption Keys (AES) …
None
None
Secret Backends Storage Backends Auth Backends Audit Backends Telemetery
Les secrets dans une application • Où sont-ils stockés ?
– Fichiers « properties » – BDD – … • Comment gérer leurs cycles de vie ? – Renouvellement – Bail – Révocation – … • Qui doit les gérer ? • Comment mon application y accède ?
Les enjeux liés à Vault • Unseal/seal • Authentification (token,
login/passwd, github, …) • Génération des « unseal keys » – Shamir's Secret Sharing – PGP / Keybase.io – ? • Gestion des « Policy » • Génération des « tokens » utilisateurs • Wrap/unwrap • HSM (premium) • … Shamir's Secret Sharing
Comment accéder à Vault ? • CLI • HTTP API
• envconsul/consul-template • Ansible, Chef, … • docker-volume-libsecret • Client – Java, Spring Cloud, Scala – Go – Python – …
mount generic
$ vault write secret/app/key iauth.key_iauth=a8Y3IHgVCoj7AmUA Success! Data written to: secret/app/key
--- $ vault read secret/app/key iauth.key_iauth a8Y3IHgVCoj7AmUA --- $ vault read -wrap-ttl=10m secret/app/key wrapping_token: 19f11fee-c184-b218-6595-f58e87cad175 --- $ vault unwrap 19f11fee-c184-b218-6595-f58e87cad175 iauth.key_iauth a8Y3IHgVCoj7AmUA
None
mount mysql deprecated mount database beta Dynamic secrets or secrets
on-demand
Combien de fois change-t-on le mot de passe d’une base
de données dans la vie d’une application ?
None
mount pki
ITA Root CA ITA Intermediate CA vault.ita.rocks PKI = Ensemble
de composants physiques, de procédures et d’application en vue de gérer le cycle de vie des certificats
None
#MAUVAISEFOI
None
OpenSSL> openssl req -new -config etc/root-ca.conf -out ca/root- ca.csr -keyout
ca/root-ca/private/root-ca.key openssl ca -selfsign -config etc/root-ca.conf -in ca/root- ca.csr -out ca/root-ca.crt -extensions root_ca_ext openssl req -new -config etc/signing-ca.conf -out ca/signing-ca.csr -keyout ca/signing-ca/private/signing- ca.key openssl ca -config etc/root-ca.conf -in ca/signing-ca.csr - out ca/signing-ca.crt -extensions signing_ca_ext openssl req -new -config etc/server.conf -out certs/simple.org.csr -keyout certs/simple.org.key openssl ca -config etc/signing-ca.conf -in certs/simple.org.csr -out certs/simple.org.crt -extensions server_ext
KeyStore Explorer google/easypki keytool
None
HTTP API • Gestion des AC • Gestion des rôles
: – DN – TTL – Ext / Key usage (server auth, client auth, code signing, email protection, digital signature, data encipherment, …) – … • Gestion du cycle de vie des certificats • Gestion de la CRL
None
mount transit CaaS : Cryptography as a service
Gestion des clés (aes, ecdsa, eddsa) Chiffrement / Déchiffrement Génération
d’aléas Génération de hash (SHA256, SHA512, …) Génération de HMAC Signature / Validation
$ vault write -f transit/keys/foo Success! Data written to: transit/keys/foo
--- echo -n "LTDJ #70 : Vault" | base64 | vault write transit/encrypt/foo plaintext=- ciphertext vault:v1:N2BO36PLZ3…Beyt/LEj2MLo= --- vault write transit/decrypt/foo ciphertext=vault:v1:N2BO36PLZ3…Beyt/LEj2MLo= plaintext TFRESiAjNzAgOiBWYXVsdA== --- echo "TFRESiAjNzAgOiBWYXVsdA==" | base64 -d LTDJ #70 : Vault
Alternatives • Keywhiz (square) • Conjur • Docker secrets (swarm)
• Kubernetes secrets • AWS Key Management Service • Cloud Key Management (Google Cloud Plateform) • Azure Key Vault • …
AVANT JE STOCKAIS MES MOTS DE PASSE EN CLAIR
aicfr
gpuunite_official
mhrtech
stefafafan
harutiro
varu3
subroh0508
kakehashi
gak_t12
astatsuya
bitkey
techniczna
bkeepers
thoeni
nonsquared
bcantrill
chriscoyier
chrislema
aleyda
csswizardry
bluesmoon
codingconduct
jdejongh
popppiees
