Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Behind Closed Doors: Managing Passwords in a Dangerous World
Search
Noah Kantrowitz
April 27, 2016
Technology
0
3.2k
Behind Closed Doors: Managing Passwords in a Dangerous World
Noah Kantrowitz
April 27, 2016
Tweet
Share
More Decks by Noah Kantrowitz
See All by Noah Kantrowitz
Swiss Army Django: Small Footprint ETL (with notes) - DjangoCon US
coderanger
0
110
Swiss Army Django: Small Footprint ETL - DjangoCon US
coderanger
0
21
How to look at space: PyCon AU
coderanger
0
59
Swiss Army Django: Small Footprint ETL
coderanger
0
42
Swiss Army Django: Small Footprint ETL (with notes)
coderanger
0
46
Minimum Viable Kubernetes
coderanger
0
17
Minimum Viable Kubernetes (with notes)
coderanger
0
290
Applied Science Fiction: Operating a Research-Led Product (with notes)
coderanger
0
22
Applied Science Fiction: Operating a Research-Led Product
coderanger
0
44
Other Decks in Technology
See All in Technology
JAWS-UG Bedrock Claude Night
yamahiro
3
580
EMとして2023年度に頑張ったこと / What we did well in FY2023 as a EM
pauli
1
170
推しは推せるときに推せ! プロダクトにフィードバックしていこう
nakasho
0
300
Tellus の衛星データを見てみよう #mf_fukuoka
kongmingstrap
0
190
Google Cloud の AI を支える裏側のインフラを垣間見る!
maroon1st
0
340
[新卒向け研修資料] テスト文字列に「うんこ」と入れるな(2024年版)
infiniteloop_inc
4
13k
本当のAWS基礎
toru_kubota
0
510
地理空間データ可視化・解析・活用ソリューション Pacific Spatial Solutions (PSS)
pacificspatialsolutions
0
220
AOAI をきっかけに 社内の Azure 管理を見直した話
recruitengineers
PRO
1
280
Além do else! Categorizando Pokemóns com Pattern Matching no JavaScript
wmsbill
0
400
生産性向上チームの紹介
cybozuinsideout
PRO
1
870
20分で完全に理解するGrafanaダッシュボード
hamadakoji
3
490
Featured
See All Featured
Building an army of robots
kneath
300
41k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
19
1.7k
Design by the Numbers
sachag
274
18k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
34
8.9k
Pencils Down: Stop Designing & Start Developing
hursman
117
11k
Build your cross-platform service in a week with App Engine
jlugia
225
17k
Debugging Ruby Performance
tmm1
70
11k
What’s in a name? Adding method to the madness
productmarketing
PRO
16
2.6k
BBQ
matthewcrist
80
8.8k
[RailsConf 2023] Rails as a piece of cake
palkan
23
3.9k
Visualization
eitanlees
136
14k
Why Our Code Smells
bkeepers
PRO
331
56k
Transcript
Noah Kantrowitz Behind Closed Doors Managing Passwords in a Dangerous
World
Me • Chef-y dude • @kantrn / coderanger • Bloomberg
FOSS
Secrets
Definition • Small • Radioactive • Required
Secrets • Passwords • Tokens • Keys • Other
Passwords • Computer to computer • 1 to ~1024 bytes
• "Internal" or human-y
Tokens • "External" or API • Like passwords
Keys • Whole files • Bigger, chunkier
Other • Kerberos tickets • PCI log files • HIPAA
records
Temperature
Hot / Online • Autonomous access • Used a lot
• Humans need not apply
Cold / Offline • Used rarely • Humans required
Spectrum
Speed
Slow • "Static" • Change is "big" • Less safe
Fast • Changes constantly • Automatic rotation • More safe
Properties of a Secrets Management System
– Jerome Saltzer, Communications of the ACM “Every program and every
privileged user of the system should operate using the least amount of privilege necessary to complete the job.”
Properties • Least privilege • Audit trail
Let's do it!
$ echo "P@s5wd" > secret.txt $ git commit -a -m
"yolo!" $ git push origin master To
[email protected]
:me/myapp.git f35a8c0..c2f0adf master -> master
Attack Surfaces
Surfaces • Brute force • Code leak • Backup leak
• Traversal • Code exec • Root exec • Laptop theft • Higher power
Brute Force • Always be wary • Rate-limit, restrict, rotate
• Make it impossible
Code Leak • Read-only access • No data • "GitHub
oops"
Backup Leak • Still read-only • With database, et al
Traversal • /show?n=about • /show?n=../../passwd • /search?q=;select…
An Aside • Environment variables • Logged, inherited, etc •
Unsafe at any speed
Code Exec • Beyond app security • Infrastructure hygiene •
Service users
Root Exec Lasciate ogne speranza, voi ch'intrate
Laptop Theft • Use disk encryption • Rotate everything
Higher Power • Government • Advanced threat • Natural disaster
Cryptography
Symmetry • Symmetric vs asymmetric • Shared key vs pairs
• Public key not secret
Secret Symmetric Admin Server
Secret Symmetric Admin Server Key
Secret Encrypted Blob Symmetric Admin Server Key
Secret Encrypted Blob Symmetric Admin Server Key Key
Encrypted Blob Secret Encrypted Blob Symmetric Admin Server Key Key
Encrypted Blob Secret Encrypted Blob Secret Symmetric Admin Server Key
Key
Secret Asymmetric Admin Server
Secret Asymmetric Admin Server Key Pair
Secret Asymmetric Admin Server Public Key Key Pair
Secret Encrypted Blob Asymmetric Admin Server Public Key Key Pair
Encrypted Blob Secret Encrypted Blob Asymmetric Admin Server Public Key
Key Pair
Encrypted Blob Secret Secret Encrypted Blob Asymmetric Admin Server Public
Key Key Pair
Mode • Pre-encryption • Symmetric key distribution • Asymmetric key
identity • Trusted third party
Symmetric Pre Admin Servers Store
Symmetric Pre Admin Servers Store
Symmetric Pre Admin Servers Store
Symmetric Pre Admin Servers Store
Symmetric Pre Admin Servers Store
Symmetric Pre Admin Servers Store
Asymmetric Pre Admin Servers Store A B C
A B Asymmetric Pre Admin Servers Store A B C
A B Asymmetric Pre Admin Servers Store A B A
B C
A B Asymmetric Pre Admin Servers Store A B A
B A B C
A B A B Asymmetric Pre Admin Servers Store A
B A B A B C
A B A B B A Asymmetric Pre Admin Servers
Store A B A B A B C
A B A B B A Asymmetric Pre Admin Servers
Store A B A B A B C
Trusted Third Party Admin TTP Servers A B C D
Trusted Third Party B C Admin TTP Servers A B
C D
Trusted Third Party B C Admin TTP Servers A B
C D
Tools
Text Files • git add … • scp … •
Interns
git-crypt • Git file filter • Symmetric or asymmetric •
Footgun
Cluster Managers • ZooKeeper, Consul, Etcd • ACLs or bust
• Here be dragons
Chef Encrypted Bags • Symmetric, AES-256-GCM • Server vs git
• Turtles all the way down
Ansible Vault • AES-256-CTR + SHA-256 • Still turtles
Hiera Eyaml • PKCS7 (or GPG) • Trusted Third Party
Chef Vault • RSA(encrypted bags) • Asymmetric pre-encrypt • Kind
of still turtle-y
Hashicorp Vault • TTP service • New bar for fast
secrets • Modular design
Keywhiz • TTP • TLS keys, files • Battle tested
Private S3 • IAM roles • Complex policy • Easy
to get started
Amazon KMS • Kool-aid-tastic • Key escrow • Hosted encrypt/decrypt
Sneaker • KMS + S3 • Still kool
Confidant • KMS + DynamoDB • Web-based • Versioned w/
history
Trousseau • Asymmetric pre-encrypt • GPG + modular storage •
S3, GPG, GitHub
Sops • KMS or GPG • Manual storage
Red October • Cold secrets • N of M storage
Barbican Pining for the fjords
Conjur • And other closed source • Trust but verify
HSMs • TPMs otherwise $ $ $ • Dedicated hardware
• Bugs not unheard of
The Hard Problem
Identity • Who are you? • Who am I? •
Why are we in this hand basket?
Pure Identity • TLS client certificates • MySQL, Postgres •
Internal APIs
Integration
API Clients • Vault: HVAC, vault-rails • KMS: botocore, aws-sdk
HVAC # local_settings.py import hvac c = hvac.Client( url='https://vaultserver:8200') DATABASES
= { 'default': { # Other settings ... 'PASSWORD': c.read('secret/dbpass') } }
Config Management • Templates/commands • hiera-vault • Ruby/Python APIs
Chef # recipes/myapp.rb execute 'sneaker unpack ...' template 'local_settings.py' do
# Other properties ... variables pw: citadel['pw'] end
KeywhizFS • FUSE filesystem • Direct key usage • In-memory
Consul Templates • Standalone daemon • Sync Vault data to
files • CM → Templates → files
envconsul • Vault data in $ENV • Beware of logging
Summon • Secrets in $ENV • Modular providers • S3,
Keyring, Conjur
In Summary • Check your privilege and audit trail •
Pick types and temperatures • Think about attack surfaces • Have a disaster plan
Thank You
Questions? @kantrn coderanger.net