Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
HashiCorp Vault
Search
Heraud Kevin
July 06, 2017
Technology
0
17
HashiCorp Vault
Heraud Kevin
July 06, 2017
Tweet
Share
More Decks by Heraud Kevin
See All by Heraud Kevin
WebAssembly
aicfr
0
40
Cross Browser Testing
aicfr
0
18
Certificate pinning
aicfr
0
41
Frida : Dynamic instrumentation toolkit
aicfr
0
17
GraphQL
aicfr
0
8
Serverless
aicfr
0
12
Hyperledger Composer
aicfr
0
13
HashiCorp Consul
aicfr
0
14
CDI
aicfr
0
24
Other Decks in Technology
See All in Technology
All About Sansan – for New Global Engineers
sansan33
PRO
1
1.3k
ソフトとハード両方いけるデータ人材の育て方
waiwai2111
0
180
歴史から学ぶ、Goのメモリ管理基礎
logica0419
14
2.8k
AI に「学ばせ、調べさせ、作らせる」。Auth0 開発を加速させる7つの実践的アプローチ
scova0731
0
260
名刺メーカーDevグループ 紹介資料
sansan33
PRO
0
1k
戰略轉變:從建構 AI 代理人到發展可擴展的技能生態系統
appleboy
0
190
産業的変化も組織的変化も乗り越えられるチームへの成長 〜チームの変化から見出す明るい未来〜
kakehashi
PRO
1
630
Master Dataグループ紹介資料
sansan33
PRO
1
4.2k
Contract One Engineering Unit 紹介資料
sansan33
PRO
0
12k
研究開発部メンバーの働き⽅ / Sansan R&D Profile
sansan33
PRO
4
21k
さくらのクラウドでのシークレット管理を考える/tamachi.sre#2
fujiwara3
1
140
Eight Engineering Unit 紹介資料
sansan33
PRO
0
6.2k
Featured
See All Featured
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
34
2.6k
Money Talks: Using Revenue to Get Sh*t Done
nikkihalliwell
0
130
Dominate Local Search Results - an insider guide to GBP, reviews, and Local SEO
greggifford
PRO
0
34
Paper Plane
katiecoart
PRO
0
45k
How People are Using Generative and Agentic AI to Supercharge Their Products, Projects, Services and Value Streams Today
helenjbeal
1
98
Measuring Dark Social's Impact On Conversion and Attribution
stephenakadiri
1
100
The Pragmatic Product Professional
lauravandoore
37
7.1k
Paper Plane (Part 1)
katiecoart
PRO
0
3.1k
Avoiding the “Bad Training, Faster” Trap in the Age of AI
tmiket
0
52
ラッコキーワード サービス紹介資料
rakko
0
2M
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
38
2.7k
Claude Code のすすめ
schroneko
67
210k
Transcript
A Tool for Managing Secrets
Provision, secure, and run any infrastructure for any application.
DB Credentials (MySQL, Hazelcast) Keystore password (P12, JKS) Keystore (private
key) Acces Keys (Tokenizer, OAuth2) Encryption Keys (AES) …
None
None
Secret Backends Storage Backends Auth Backends Audit Backends Telemetery
Les secrets dans une application • Où sont-ils stockés ?
– Fichiers « properties » – BDD – … • Comment gérer leurs cycles de vie ? – Renouvellement – Bail – Révocation – … • Qui doit les gérer ? • Comment mon application y accède ?
Les enjeux liés à Vault • Unseal/seal • Authentification (token,
login/passwd, github, …) • Génération des « unseal keys » – Shamir's Secret Sharing – PGP / Keybase.io – ? • Gestion des « Policy » • Génération des « tokens » utilisateurs • Wrap/unwrap • HSM (premium) • … Shamir's Secret Sharing
Comment accéder à Vault ? • CLI • HTTP API
• envconsul/consul-template • Ansible, Chef, … • docker-volume-libsecret • Client – Java, Spring Cloud, Scala – Go – Python – …
mount generic
$ vault write secret/app/key iauth.key_iauth=a8Y3IHgVCoj7AmUA Success! Data written to: secret/app/key
--- $ vault read secret/app/key iauth.key_iauth a8Y3IHgVCoj7AmUA --- $ vault read -wrap-ttl=10m secret/app/key wrapping_token: 19f11fee-c184-b218-6595-f58e87cad175 --- $ vault unwrap 19f11fee-c184-b218-6595-f58e87cad175 iauth.key_iauth a8Y3IHgVCoj7AmUA
None
mount mysql deprecated mount database beta Dynamic secrets or secrets
on-demand
Combien de fois change-t-on le mot de passe d’une base
de données dans la vie d’une application ?
None
mount pki
ITA Root CA ITA Intermediate CA vault.ita.rocks PKI = Ensemble
de composants physiques, de procédures et d’application en vue de gérer le cycle de vie des certificats
None
#MAUVAISEFOI
None
OpenSSL> openssl req -new -config etc/root-ca.conf -out ca/root- ca.csr -keyout
ca/root-ca/private/root-ca.key openssl ca -selfsign -config etc/root-ca.conf -in ca/root- ca.csr -out ca/root-ca.crt -extensions root_ca_ext openssl req -new -config etc/signing-ca.conf -out ca/signing-ca.csr -keyout ca/signing-ca/private/signing- ca.key openssl ca -config etc/root-ca.conf -in ca/signing-ca.csr - out ca/signing-ca.crt -extensions signing_ca_ext openssl req -new -config etc/server.conf -out certs/simple.org.csr -keyout certs/simple.org.key openssl ca -config etc/signing-ca.conf -in certs/simple.org.csr -out certs/simple.org.crt -extensions server_ext
KeyStore Explorer google/easypki keytool
None
HTTP API • Gestion des AC • Gestion des rôles
: – DN – TTL – Ext / Key usage (server auth, client auth, code signing, email protection, digital signature, data encipherment, …) – … • Gestion du cycle de vie des certificats • Gestion de la CRL
None
mount transit CaaS : Cryptography as a service
Gestion des clés (aes, ecdsa, eddsa) Chiffrement / Déchiffrement Génération
d’aléas Génération de hash (SHA256, SHA512, …) Génération de HMAC Signature / Validation
$ vault write -f transit/keys/foo Success! Data written to: transit/keys/foo
--- echo -n "LTDJ #70 : Vault" | base64 | vault write transit/encrypt/foo plaintext=- ciphertext vault:v1:N2BO36PLZ3…Beyt/LEj2MLo= --- vault write transit/decrypt/foo ciphertext=vault:v1:N2BO36PLZ3…Beyt/LEj2MLo= plaintext TFRESiAjNzAgOiBWYXVsdA== --- echo "TFRESiAjNzAgOiBWYXVsdA==" | base64 -d LTDJ #70 : Vault
Alternatives • Keywhiz (square) • Conjur • Docker secrets (swarm)
• Kubernetes secrets • AWS Key Management Service • Cloud Key Management (Google Cloud Plateform) • Azure Key Vault • …
AVANT JE STOCKAIS MES MOTS DE PASSE EN CLAIR
aicfr
sansan33
waiwai2111
logica0419
scova0731
appleboy
kakehashi
fujiwara3
jcasabona
nikkihalliwell
greggifford
katiecoart
.png){kind=avatar}
helenjbeal
stephenakadiri
lauravandoore
tmiket
rakko
eileencodes
schroneko
