Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Behind Closed Doors: Managing Passwords in a Da...
Search
Noah Kantrowitz
April 27, 2016
Technology
0
3.4k
Behind Closed Doors: Managing Passwords in a Dangerous World
Noah Kantrowitz
April 27, 2016
Tweet
Share
More Decks by Noah Kantrowitz
See All by Noah Kantrowitz
What Python Can Learn From Other Languages
coderanger
0
40
What Python Can Learn From Other Languages (with notes)
coderanger
0
120
Swiss Army Django: Small Footprint ETL (with notes) - DjangoCon US
coderanger
0
190
Swiss Army Django: Small Footprint ETL - DjangoCon US
coderanger
0
45
How to look at space: PyCon AU
coderanger
0
87
Swiss Army Django: Small Footprint ETL
coderanger
0
73
Swiss Army Django: Small Footprint ETL (with notes)
coderanger
0
67
Minimum Viable Kubernetes
coderanger
0
31
Minimum Viable Kubernetes (with notes)
coderanger
0
390
Other Decks in Technology
See All in Technology
Iceberg Meetup Japan #1 : Iceberg and Databricks
databricksjapan
0
360
OPENLOGI Company Profile
hr01
0
60k
OSS構成管理ツールCMDBuildを使ったAWSリソース管理の自動化
satorufunai
0
640
【詳説】コンテンツ配信 システムの複数機能 基盤への拡張
hatena
0
230
大規模アジャイルフレームワークから学ぶエンジニアマネジメントの本質
staka121
PRO
3
1.2k
OCI Success Journey OCIの何が評価されてる?疑問に答える事例セミナー(2025年2月実施)
oracle4engineer
PRO
2
150
Snowflake ML モデルを dbt データパイプラインに組み込む
estie
0
100
EMConf JP 2025 懇親会LT / EMConf JP 2025 social gathering
sugamasao
2
190
Windows の新しい管理者保護モード
murachiakira
0
200
Exadata Database Service on Cloud@Customer セキュリティ、ネットワーク、および管理について
oracle4engineer
PRO
2
1.5k
依存パッケージの更新はコツコツが勝つコツ! / phpcon_nagoya2025
blue_goheimochi
3
210
内製化を加速させるlaC活用術
nrinetcom
PRO
2
140
Featured
See All Featured
Stop Working from a Prison Cell
hatefulcrawdad
267
20k
Optimising Largest Contentful Paint
csswizardry
34
3.1k
Building Adaptive Systems
keathley
40
2.4k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
33
2.8k
Keith and Marios Guide to Fast Websites
keithpitt
411
22k
How to train your dragon (web standard)
notwaldorf
91
5.9k
VelocityConf: Rendering Performance Case Studies
addyosmani
328
24k
Building a Modern Day E-commerce SEO Strategy
aleyda
38
7.1k
Music & Morning Musume
bryan
46
6.4k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
666
120k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
507
140k
For a Future-Friendly Web
brad_frost
176
9.6k
Transcript
Noah Kantrowitz Behind Closed Doors Managing Passwords in a Dangerous
World
Me • Chef-y dude • @kantrn / coderanger • Bloomberg
FOSS
Secrets
Definition • Small • Radioactive • Required
Secrets • Passwords • Tokens • Keys • Other
Passwords • Computer to computer • 1 to ~1024 bytes
• "Internal" or human-y
Tokens • "External" or API • Like passwords
Keys • Whole files • Bigger, chunkier
Other • Kerberos tickets • PCI log files • HIPAA
records
Temperature
Hot / Online • Autonomous access • Used a lot
• Humans need not apply
Cold / Offline • Used rarely • Humans required
Spectrum
Speed
Slow • "Static" • Change is "big" • Less safe
Fast • Changes constantly • Automatic rotation • More safe
Properties of a Secrets Management System
– Jerome Saltzer, Communications of the ACM “Every program and every
privileged user of the system should operate using the least amount of privilege necessary to complete the job.”
Properties • Least privilege • Audit trail
Let's do it!
$ echo "P@s5wd" > secret.txt $ git commit -a -m
"yolo!" $ git push origin master To
[email protected]
:me/myapp.git f35a8c0..c2f0adf master -> master
Attack Surfaces
Surfaces • Brute force • Code leak • Backup leak
• Traversal • Code exec • Root exec • Laptop theft • Higher power
Brute Force • Always be wary • Rate-limit, restrict, rotate
• Make it impossible
Code Leak • Read-only access • No data • "GitHub
oops"
Backup Leak • Still read-only • With database, et al
Traversal • /show?n=about • /show?n=../../passwd • /search?q=;select…
An Aside • Environment variables • Logged, inherited, etc •
Unsafe at any speed
Code Exec • Beyond app security • Infrastructure hygiene •
Service users
Root Exec Lasciate ogne speranza, voi ch'intrate
Laptop Theft • Use disk encryption • Rotate everything
Higher Power • Government • Advanced threat • Natural disaster
Cryptography
Symmetry • Symmetric vs asymmetric • Shared key vs pairs
• Public key not secret
Secret Symmetric Admin Server
Secret Symmetric Admin Server Key
Secret Encrypted Blob Symmetric Admin Server Key
Secret Encrypted Blob Symmetric Admin Server Key Key
Encrypted Blob Secret Encrypted Blob Symmetric Admin Server Key Key
Encrypted Blob Secret Encrypted Blob Secret Symmetric Admin Server Key
Key
Secret Asymmetric Admin Server
Secret Asymmetric Admin Server Key Pair
Secret Asymmetric Admin Server Public Key Key Pair
Secret Encrypted Blob Asymmetric Admin Server Public Key Key Pair
Encrypted Blob Secret Encrypted Blob Asymmetric Admin Server Public Key
Key Pair
Encrypted Blob Secret Secret Encrypted Blob Asymmetric Admin Server Public
Key Key Pair
Mode • Pre-encryption • Symmetric key distribution • Asymmetric key
identity • Trusted third party
Symmetric Pre Admin Servers Store
Symmetric Pre Admin Servers Store
Symmetric Pre Admin Servers Store
Symmetric Pre Admin Servers Store
Symmetric Pre Admin Servers Store
Symmetric Pre Admin Servers Store
Asymmetric Pre Admin Servers Store A B C
A B Asymmetric Pre Admin Servers Store A B C
A B Asymmetric Pre Admin Servers Store A B A
B C
A B Asymmetric Pre Admin Servers Store A B A
B A B C
A B A B Asymmetric Pre Admin Servers Store A
B A B A B C
A B A B B A Asymmetric Pre Admin Servers
Store A B A B A B C
A B A B B A Asymmetric Pre Admin Servers
Store A B A B A B C
Trusted Third Party Admin TTP Servers A B C D
Trusted Third Party B C Admin TTP Servers A B
C D
Trusted Third Party B C Admin TTP Servers A B
C D
Tools
Text Files • git add … • scp … •
Interns
git-crypt • Git file filter • Symmetric or asymmetric •
Footgun
Cluster Managers • ZooKeeper, Consul, Etcd • ACLs or bust
• Here be dragons
Chef Encrypted Bags • Symmetric, AES-256-GCM • Server vs git
• Turtles all the way down
Ansible Vault • AES-256-CTR + SHA-256 • Still turtles
Hiera Eyaml • PKCS7 (or GPG) • Trusted Third Party
Chef Vault • RSA(encrypted bags) • Asymmetric pre-encrypt • Kind
of still turtle-y
Hashicorp Vault • TTP service • New bar for fast
secrets • Modular design
Keywhiz • TTP • TLS keys, files • Battle tested
Private S3 • IAM roles • Complex policy • Easy
to get started
Amazon KMS • Kool-aid-tastic • Key escrow • Hosted encrypt/decrypt
Sneaker • KMS + S3 • Still kool
Confidant • KMS + DynamoDB • Web-based • Versioned w/
history
Trousseau • Asymmetric pre-encrypt • GPG + modular storage •
S3, GPG, GitHub
Sops • KMS or GPG • Manual storage
Red October • Cold secrets • N of M storage
Barbican Pining for the fjords
Conjur • And other closed source • Trust but verify
HSMs • TPMs otherwise $ $ $ • Dedicated hardware
• Bugs not unheard of
The Hard Problem
Identity • Who are you? • Who am I? •
Why are we in this hand basket?
Pure Identity • TLS client certificates • MySQL, Postgres •
Internal APIs
Integration
API Clients • Vault: HVAC, vault-rails • KMS: botocore, aws-sdk
HVAC # local_settings.py import hvac c = hvac.Client( url='https://vaultserver:8200') DATABASES
= { 'default': { # Other settings ... 'PASSWORD': c.read('secret/dbpass') } }
Config Management • Templates/commands • hiera-vault • Ruby/Python APIs
Chef # recipes/myapp.rb execute 'sneaker unpack ...' template 'local_settings.py' do
# Other properties ... variables pw: citadel['pw'] end
KeywhizFS • FUSE filesystem • Direct key usage • In-memory
Consul Templates • Standalone daemon • Sync Vault data to
files • CM → Templates → files
envconsul • Vault data in $ENV • Beware of logging
Summon • Secrets in $ENV • Modular providers • S3,
Keyring, Conjur
In Summary • Check your privilege and audit trail •
Pick types and temperatures • Think about attack surfaces • Have a disaster plan
Thank You
Questions? @kantrn coderanger.net