Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Behind Closed Doors: Managing Passwords in a Da...
Search
Noah Kantrowitz
April 27, 2016
Technology
0
3.4k
Behind Closed Doors: Managing Passwords in a Dangerous World
Noah Kantrowitz
April 27, 2016
Tweet
Share
More Decks by Noah Kantrowitz
See All by Noah Kantrowitz
What Python Can Learn From Other Languages
coderanger
0
41
What Python Can Learn From Other Languages (with notes)
coderanger
0
130
Swiss Army Django: Small Footprint ETL (with notes) - DjangoCon US
coderanger
0
190
Swiss Army Django: Small Footprint ETL - DjangoCon US
coderanger
0
45
How to look at space: PyCon AU
coderanger
0
87
Swiss Army Django: Small Footprint ETL
coderanger
0
73
Swiss Army Django: Small Footprint ETL (with notes)
coderanger
0
67
Minimum Viable Kubernetes
coderanger
0
31
Minimum Viable Kubernetes (with notes)
coderanger
0
390
Other Decks in Technology
See All in Technology
DevinでAI AWSエンジニア製造計画 序章 〜CDKを添えて〜/devin-load-to-aws-engineer
tomoki10
0
190
Cracking the Coding Interview 6th Edition
gdplabs
14
28k
AWSではじめる Web APIテスト実践ガイド / A practical guide to testing Web APIs on AWS
yokawasa
8
750
Global Databaseで実現するマルチリージョン自動切替とBlue/Greenデプロイ
j2yano
0
140
AWSアカウントのセキュリティ自動化、どこまで進める? 最適な設計と実践ポイント
yuobayashi
7
960
クラウド食堂とは?
hiyanger
0
120
AIエージェント元年@日本生成AIユーザ会
shukob
1
240
E2Eテスト自動化入門
devops_vtj
1
100
事業モメンタムを生み出すプロダクト開発
macchiitaka
0
100
Aurora PostgreSQLがCloudWatch Logsに 出力するログの課金を削減してみる #jawsdays2025
non97
1
230
自分だけの仮想クラスタを高速かつ効率的に作る kubefork
donkomura
0
110
What's new in Go 1.24?
ciarana
1
110
Featured
See All Featured
Building Your Own Lightsaber
phodgson
104
6.2k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
114
51k
How STYLIGHT went responsive
nonsquared
99
5.4k
Building Flexible Design Systems
yeseniaperezcruz
328
38k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
7
650
Navigating Team Friction
lara
183
15k
A Modern Web Designer's Workflow
chriscoyier
693
190k
Raft: Consensus for Rubyists
vanstee
137
6.8k
GraphQLの誤解/rethinking-graphql
sonatard
69
10k
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
656
59k
Scaling GitHub
holman
459
140k
Imperfection Machines: The Place of Print at Facebook
scottboms
267
13k
Transcript
Noah Kantrowitz Behind Closed Doors Managing Passwords in a Dangerous
World
Me • Chef-y dude • @kantrn / coderanger • Bloomberg
FOSS
Secrets
Definition • Small • Radioactive • Required
Secrets • Passwords • Tokens • Keys • Other
Passwords • Computer to computer • 1 to ~1024 bytes
• "Internal" or human-y
Tokens • "External" or API • Like passwords
Keys • Whole files • Bigger, chunkier
Other • Kerberos tickets • PCI log files • HIPAA
records
Temperature
Hot / Online • Autonomous access • Used a lot
• Humans need not apply
Cold / Offline • Used rarely • Humans required
Spectrum
Speed
Slow • "Static" • Change is "big" • Less safe
Fast • Changes constantly • Automatic rotation • More safe
Properties of a Secrets Management System
– Jerome Saltzer, Communications of the ACM “Every program and every
privileged user of the system should operate using the least amount of privilege necessary to complete the job.”
Properties • Least privilege • Audit trail
Let's do it!
$ echo "P@s5wd" > secret.txt $ git commit -a -m
"yolo!" $ git push origin master To git@github.com:me/myapp.git f35a8c0..c2f0adf master -> master
Attack Surfaces
Surfaces • Brute force • Code leak • Backup leak
• Traversal • Code exec • Root exec • Laptop theft • Higher power
Brute Force • Always be wary • Rate-limit, restrict, rotate
• Make it impossible
Code Leak • Read-only access • No data • "GitHub
oops"
Backup Leak • Still read-only • With database, et al
Traversal • /show?n=about • /show?n=../../passwd • /search?q=;select…
An Aside • Environment variables • Logged, inherited, etc •
Unsafe at any speed
Code Exec • Beyond app security • Infrastructure hygiene •
Service users
Root Exec Lasciate ogne speranza, voi ch'intrate
Laptop Theft • Use disk encryption • Rotate everything
Higher Power • Government • Advanced threat • Natural disaster
Cryptography
Symmetry • Symmetric vs asymmetric • Shared key vs pairs
• Public key not secret
Secret Symmetric Admin Server
Secret Symmetric Admin Server Key
Secret Encrypted Blob Symmetric Admin Server Key
Secret Encrypted Blob Symmetric Admin Server Key Key
Encrypted Blob Secret Encrypted Blob Symmetric Admin Server Key Key
Encrypted Blob Secret Encrypted Blob Secret Symmetric Admin Server Key
Key
Secret Asymmetric Admin Server
Secret Asymmetric Admin Server Key Pair
Secret Asymmetric Admin Server Public Key Key Pair
Secret Encrypted Blob Asymmetric Admin Server Public Key Key Pair
Encrypted Blob Secret Encrypted Blob Asymmetric Admin Server Public Key
Key Pair
Encrypted Blob Secret Secret Encrypted Blob Asymmetric Admin Server Public
Key Key Pair
Mode • Pre-encryption • Symmetric key distribution • Asymmetric key
identity • Trusted third party
Symmetric Pre Admin Servers Store
Symmetric Pre Admin Servers Store
Symmetric Pre Admin Servers Store
Symmetric Pre Admin Servers Store
Symmetric Pre Admin Servers Store
Symmetric Pre Admin Servers Store
Asymmetric Pre Admin Servers Store A B C
A B Asymmetric Pre Admin Servers Store A B C
A B Asymmetric Pre Admin Servers Store A B A
B C
A B Asymmetric Pre Admin Servers Store A B A
B A B C
A B A B Asymmetric Pre Admin Servers Store A
B A B A B C
A B A B B A Asymmetric Pre Admin Servers
Store A B A B A B C
A B A B B A Asymmetric Pre Admin Servers
Store A B A B A B C
Trusted Third Party Admin TTP Servers A B C D
Trusted Third Party B C Admin TTP Servers A B
C D
Trusted Third Party B C Admin TTP Servers A B
C D
Tools
Text Files • git add … • scp … •
Interns
git-crypt • Git file filter • Symmetric or asymmetric •
Footgun
Cluster Managers • ZooKeeper, Consul, Etcd • ACLs or bust
• Here be dragons
Chef Encrypted Bags • Symmetric, AES-256-GCM • Server vs git
• Turtles all the way down
Ansible Vault • AES-256-CTR + SHA-256 • Still turtles
Hiera Eyaml • PKCS7 (or GPG) • Trusted Third Party
Chef Vault • RSA(encrypted bags) • Asymmetric pre-encrypt • Kind
of still turtle-y
Hashicorp Vault • TTP service • New bar for fast
secrets • Modular design
Keywhiz • TTP • TLS keys, files • Battle tested
Private S3 • IAM roles • Complex policy • Easy
to get started
Amazon KMS • Kool-aid-tastic • Key escrow • Hosted encrypt/decrypt
Sneaker • KMS + S3 • Still kool
Confidant • KMS + DynamoDB • Web-based • Versioned w/
history
Trousseau • Asymmetric pre-encrypt • GPG + modular storage •
S3, GPG, GitHub
Sops • KMS or GPG • Manual storage
Red October • Cold secrets • N of M storage
Barbican Pining for the fjords
Conjur • And other closed source • Trust but verify
HSMs • TPMs otherwise $ $ $ • Dedicated hardware
• Bugs not unheard of
The Hard Problem
Identity • Who are you? • Who am I? •
Why are we in this hand basket?
Pure Identity • TLS client certificates • MySQL, Postgres •
Internal APIs
Integration
API Clients • Vault: HVAC, vault-rails • KMS: botocore, aws-sdk
HVAC # local_settings.py import hvac c = hvac.Client( url='https://vaultserver:8200') DATABASES
= { 'default': { # Other settings ... 'PASSWORD': c.read('secret/dbpass') } }
Config Management • Templates/commands • hiera-vault • Ruby/Python APIs
Chef # recipes/myapp.rb execute 'sneaker unpack ...' template 'local_settings.py' do
# Other properties ... variables pw: citadel['pw'] end
KeywhizFS • FUSE filesystem • Direct key usage • In-memory
Consul Templates • Standalone daemon • Sync Vault data to
files • CM → Templates → files
envconsul • Vault data in $ENV • Beware of logging
Summon • Secrets in $ENV • Modular providers • S3,
Keyring, Conjur
In Summary • Check your privilege and audit trail •
Pick types and temperatures • Think about attack surfaces • Have a disaster plan
Thank You
Questions? @kantrn coderanger.net