Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
HashiCorp Vault
Search
Heraud Kevin
July 06, 2017
Technology
0
17
HashiCorp Vault
Heraud Kevin
July 06, 2017
Tweet
Share
More Decks by Heraud Kevin
See All by Heraud Kevin
WebAssembly
aicfr
0
40
Cross Browser Testing
aicfr
0
18
Certificate pinning
aicfr
0
41
Frida : Dynamic instrumentation toolkit
aicfr
0
17
GraphQL
aicfr
0
8
Serverless
aicfr
0
12
Hyperledger Composer
aicfr
0
13
HashiCorp Consul
aicfr
0
14
CDI
aicfr
0
24
Other Decks in Technology
See All in Technology
IaaS/SaaS管理における SREの実践 - SRE Kaigi 2026
bbqallstars
4
2.1k
MCPでつなぐElasticsearchとLLM - 深夜の障害対応を楽にしたい / Bridging Elasticsearch and LLMs with MCP
sashimimochi
0
160
こんなところでも(地味に)活躍するImage Modeさんを知ってるかい?- Image Mode for OpenShift -
tsukaman
0
130
インフラエンジニア必見!Kubernetesを用いたクラウドネイティブ設計ポイント大全
daitak
1
350
データの整合性を保ちたいだけなんだ
shoheimitani
8
3.1k
クレジットカード決済基盤を支えるSRE - 厳格な監査とSRE運用の両立 (SRE Kaigi 2026)
capytan
6
2.7k
ZOZOにおけるAI活用の現在 ~開発組織全体での取り組みと試行錯誤~
zozotech
PRO
5
5.2k
配列に見る bash と zsh の違い
kazzpapa3
1
140
名刺メーカーDevグループ 紹介資料
sansan33
PRO
0
1k
ブロックテーマでサイトをリニューアルした話 / 2026-01-31 Kansai WordPress Meetup
torounit
0
460
Ruby版 JSXのRuxが気になる
sansantech
PRO
0
150
SREのプラクティスを用いた3領域同時 マネジメントへの挑戦 〜SRE・情シス・セキュリティを統合した チーム運営術〜
coconala_engineer
2
640
Featured
See All Featured
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
12
1k
How to optimise 3,500 product descriptions for ecommerce in one day using ChatGPT
katarinadahlin
PRO
0
3.4k
Into the Great Unknown - MozCon
thekraken
40
2.3k
The Illustrated Children's Guide to Kubernetes
chrisshort
51
51k
Embracing the Ebb and Flow
colly
88
5k
The Impact of AI in SEO - AI Overviews June 2024 Edition
aleyda
5
730
Making Projects Easy
brettharned
120
6.6k
Agile Leadership in an Agile Organization
kimpetersen
PRO
0
80
Paper Plane (Part 1)
katiecoart
PRO
0
4.1k
The Spectacular Lies of Maps
axbom
PRO
1
520
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
333
22k
State of Search Keynote: SEO is Dead Long Live SEO
ryanjones
0
120
Transcript
A Tool for Managing Secrets
Provision, secure, and run any infrastructure for any application.
DB Credentials (MySQL, Hazelcast) Keystore password (P12, JKS) Keystore (private
key) Acces Keys (Tokenizer, OAuth2) Encryption Keys (AES) …
None
None
Secret Backends Storage Backends Auth Backends Audit Backends Telemetery
Les secrets dans une application • Où sont-ils stockés ?
– Fichiers « properties » – BDD – … • Comment gérer leurs cycles de vie ? – Renouvellement – Bail – Révocation – … • Qui doit les gérer ? • Comment mon application y accède ?
Les enjeux liés à Vault • Unseal/seal • Authentification (token,
login/passwd, github, …) • Génération des « unseal keys » – Shamir's Secret Sharing – PGP / Keybase.io – ? • Gestion des « Policy » • Génération des « tokens » utilisateurs • Wrap/unwrap • HSM (premium) • … Shamir's Secret Sharing
Comment accéder à Vault ? • CLI • HTTP API
• envconsul/consul-template • Ansible, Chef, … • docker-volume-libsecret • Client – Java, Spring Cloud, Scala – Go – Python – …
mount generic
$ vault write secret/app/key iauth.key_iauth=a8Y3IHgVCoj7AmUA Success! Data written to: secret/app/key
--- $ vault read secret/app/key iauth.key_iauth a8Y3IHgVCoj7AmUA --- $ vault read -wrap-ttl=10m secret/app/key wrapping_token: 19f11fee-c184-b218-6595-f58e87cad175 --- $ vault unwrap 19f11fee-c184-b218-6595-f58e87cad175 iauth.key_iauth a8Y3IHgVCoj7AmUA
None
mount mysql deprecated mount database beta Dynamic secrets or secrets
on-demand
Combien de fois change-t-on le mot de passe d’une base
de données dans la vie d’une application ?
None
mount pki
ITA Root CA ITA Intermediate CA vault.ita.rocks PKI = Ensemble
de composants physiques, de procédures et d’application en vue de gérer le cycle de vie des certificats
None
#MAUVAISEFOI
None
OpenSSL> openssl req -new -config etc/root-ca.conf -out ca/root- ca.csr -keyout
ca/root-ca/private/root-ca.key openssl ca -selfsign -config etc/root-ca.conf -in ca/root- ca.csr -out ca/root-ca.crt -extensions root_ca_ext openssl req -new -config etc/signing-ca.conf -out ca/signing-ca.csr -keyout ca/signing-ca/private/signing- ca.key openssl ca -config etc/root-ca.conf -in ca/signing-ca.csr - out ca/signing-ca.crt -extensions signing_ca_ext openssl req -new -config etc/server.conf -out certs/simple.org.csr -keyout certs/simple.org.key openssl ca -config etc/signing-ca.conf -in certs/simple.org.csr -out certs/simple.org.crt -extensions server_ext
KeyStore Explorer google/easypki keytool
None
HTTP API • Gestion des AC • Gestion des rôles
: – DN – TTL – Ext / Key usage (server auth, client auth, code signing, email protection, digital signature, data encipherment, …) – … • Gestion du cycle de vie des certificats • Gestion de la CRL
None
mount transit CaaS : Cryptography as a service
Gestion des clés (aes, ecdsa, eddsa) Chiffrement / Déchiffrement Génération
d’aléas Génération de hash (SHA256, SHA512, …) Génération de HMAC Signature / Validation
$ vault write -f transit/keys/foo Success! Data written to: transit/keys/foo
--- echo -n "LTDJ #70 : Vault" | base64 | vault write transit/encrypt/foo plaintext=- ciphertext vault:v1:N2BO36PLZ3…Beyt/LEj2MLo= --- vault write transit/decrypt/foo ciphertext=vault:v1:N2BO36PLZ3…Beyt/LEj2MLo= plaintext TFRESiAjNzAgOiBWYXVsdA== --- echo "TFRESiAjNzAgOiBWYXVsdA==" | base64 -d LTDJ #70 : Vault
Alternatives • Keywhiz (square) • Conjur • Docker secrets (swarm)
• Kubernetes secrets • AWS Key Management Service • Cloud Key Management (Google Cloud Plateform) • Azure Key Vault • …
AVANT JE STOCKAIS MES MOTS DE PASSE EN CLAIR
aicfr
bbqallstars
sashimimochi
tsukaman
daitak
shoheimitani
capytan
zozotech
kazzpapa3
sansan33
torounit
sansantech
coconala_engineer
tammyeverts
katarinadahlin
thekraken
chrisshort
colly
aleyda
brettharned
kimpetersen
katiecoart
axbom
caitiem20
ryanjones
