Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
HashiCorp Vault
Search
Sponsored
·
SiteGround - Reliable hosting with speed, security, and support you can count on.
→
Heraud Kevin
July 06, 2017
Technology
0
17
HashiCorp Vault
Heraud Kevin
July 06, 2017
Tweet
Share
More Decks by Heraud Kevin
See All by Heraud Kevin
WebAssembly
aicfr
0
40
Cross Browser Testing
aicfr
0
18
Certificate pinning
aicfr
0
41
Frida : Dynamic instrumentation toolkit
aicfr
0
17
GraphQL
aicfr
0
8
Serverless
aicfr
0
12
Hyperledger Composer
aicfr
0
13
HashiCorp Consul
aicfr
0
14
CDI
aicfr
0
24
Other Decks in Technology
See All in Technology
小さく始めるBCP ― 多プロダクト環境で始める最初の一歩
kekke_n
1
360
ZOZOにおけるAI活用の現在 ~開発組織全体での取り組みと試行錯誤~
zozotech
PRO
5
4.9k
Cosmos World Foundation Model Platform for Physical AI
takmin
0
310
プロダクト成長を支える開発基盤とスケールに伴う課題
yuu26
4
1.3k
入社1ヶ月でデータパイプライン講座を作った話
waiwai2111
1
250
20260204_Midosuji_Tech
takuyay0ne
0
120
Introduction to Sansan for Engineers / エンジニア向け会社紹介
sansan33
PRO
6
68k
顧客の言葉を、そのまま信じない勇気
yamatai1212
1
340
モダンUIでフルサーバーレスなAIエージェントをAmplifyとCDKでサクッとデプロイしよう
minorun365
3
150
AzureでのIaC - Bicep? Terraform? それ早く言ってよ会議
torumakabe
1
410
Introduction to Sansan, inc / Sansan Global Development Center, Inc.
sansan33
PRO
0
3k
名刺メーカーDevグループ 紹介資料
sansan33
PRO
0
1k
Featured
See All Featured
The MySQL Ecosystem @ GitHub 2015
samlambert
251
13k
Mind Mapping
helmedeiros
PRO
0
78
Unsuck your backbone
ammeep
671
58k
JAMstack: Web Apps at Ludicrous Speed - All Things Open 2022
reverentgeek
1
320
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
12
1.4k
AI: The stuff that nobody shows you
jnunemaker
PRO
2
240
Optimising Largest Contentful Paint
csswizardry
37
3.6k
Agile Actions for Facilitating Distributed Teams - ADO2019
mkilby
0
110
Dealing with People You Can't Stand - Big Design 2015
cassininazir
367
27k
<Decoding/> the Language of Devs - We Love SEO 2024
nikkihalliwell
1
120
How Software Deployment tools have changed in the past 20 years
geshan
0
32k
Digital Ethics as a Driver of Design Innovation
axbom
PRO
1
170
Transcript
A Tool for Managing Secrets
Provision, secure, and run any infrastructure for any application.
DB Credentials (MySQL, Hazelcast) Keystore password (P12, JKS) Keystore (private
key) Acces Keys (Tokenizer, OAuth2) Encryption Keys (AES) …
None
None
Secret Backends Storage Backends Auth Backends Audit Backends Telemetery
Les secrets dans une application • Où sont-ils stockés ?
– Fichiers « properties » – BDD – … • Comment gérer leurs cycles de vie ? – Renouvellement – Bail – Révocation – … • Qui doit les gérer ? • Comment mon application y accède ?
Les enjeux liés à Vault • Unseal/seal • Authentification (token,
login/passwd, github, …) • Génération des « unseal keys » – Shamir's Secret Sharing – PGP / Keybase.io – ? • Gestion des « Policy » • Génération des « tokens » utilisateurs • Wrap/unwrap • HSM (premium) • … Shamir's Secret Sharing
Comment accéder à Vault ? • CLI • HTTP API
• envconsul/consul-template • Ansible, Chef, … • docker-volume-libsecret • Client – Java, Spring Cloud, Scala – Go – Python – …
mount generic
$ vault write secret/app/key iauth.key_iauth=a8Y3IHgVCoj7AmUA Success! Data written to: secret/app/key
--- $ vault read secret/app/key iauth.key_iauth a8Y3IHgVCoj7AmUA --- $ vault read -wrap-ttl=10m secret/app/key wrapping_token: 19f11fee-c184-b218-6595-f58e87cad175 --- $ vault unwrap 19f11fee-c184-b218-6595-f58e87cad175 iauth.key_iauth a8Y3IHgVCoj7AmUA
None
mount mysql deprecated mount database beta Dynamic secrets or secrets
on-demand
Combien de fois change-t-on le mot de passe d’une base
de données dans la vie d’une application ?
None
mount pki
ITA Root CA ITA Intermediate CA vault.ita.rocks PKI = Ensemble
de composants physiques, de procédures et d’application en vue de gérer le cycle de vie des certificats
None
#MAUVAISEFOI
None
OpenSSL> openssl req -new -config etc/root-ca.conf -out ca/root- ca.csr -keyout
ca/root-ca/private/root-ca.key openssl ca -selfsign -config etc/root-ca.conf -in ca/root- ca.csr -out ca/root-ca.crt -extensions root_ca_ext openssl req -new -config etc/signing-ca.conf -out ca/signing-ca.csr -keyout ca/signing-ca/private/signing- ca.key openssl ca -config etc/root-ca.conf -in ca/signing-ca.csr - out ca/signing-ca.crt -extensions signing_ca_ext openssl req -new -config etc/server.conf -out certs/simple.org.csr -keyout certs/simple.org.key openssl ca -config etc/signing-ca.conf -in certs/simple.org.csr -out certs/simple.org.crt -extensions server_ext
KeyStore Explorer google/easypki keytool
None
HTTP API • Gestion des AC • Gestion des rôles
: – DN – TTL – Ext / Key usage (server auth, client auth, code signing, email protection, digital signature, data encipherment, …) – … • Gestion du cycle de vie des certificats • Gestion de la CRL
None
mount transit CaaS : Cryptography as a service
Gestion des clés (aes, ecdsa, eddsa) Chiffrement / Déchiffrement Génération
d’aléas Génération de hash (SHA256, SHA512, …) Génération de HMAC Signature / Validation
$ vault write -f transit/keys/foo Success! Data written to: transit/keys/foo
--- echo -n "LTDJ #70 : Vault" | base64 | vault write transit/encrypt/foo plaintext=- ciphertext vault:v1:N2BO36PLZ3…Beyt/LEj2MLo= --- vault write transit/decrypt/foo ciphertext=vault:v1:N2BO36PLZ3…Beyt/LEj2MLo= plaintext TFRESiAjNzAgOiBWYXVsdA== --- echo "TFRESiAjNzAgOiBWYXVsdA==" | base64 -d LTDJ #70 : Vault
Alternatives • Keywhiz (square) • Conjur • Docker secrets (swarm)
• Kubernetes secrets • AWS Key Management Service • Cloud Key Management (Google Cloud Plateform) • Azure Key Vault • …
AVANT JE STOCKAIS MES MOTS DE PASSE EN CLAIR
aicfr
kekke_n
zozotech
takmin
yuu26
waiwai2111
takuyay0ne
sansan33
yamatai1212
minorun365
torumakabe
samlambert
helmedeiros
ammeep
reverentgeek
tammyeverts
jnunemaker
csswizardry
mkilby
cassininazir
nikkihalliwell
geshan
axbom
