Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Behind Closed Doors: Managing Passwords in a Da...
Search
Noah Kantrowitz
April 27, 2016
Technology
3.6k
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Behind Closed Doors: Managing Passwords in a Dangerous World
Noah Kantrowitz
April 27, 2016
More Decks by Noah Kantrowitz
See All by Noah Kantrowitz
The Long Hello World
coderanger
0
35
The Long Hello World (with notes)
coderanger
0
110
What Python Can Learn From Other Languages
coderanger
0
95
What Python Can Learn From Other Languages (with notes)
coderanger
0
240
Swiss Army Django: Small Footprint ETL (with notes) - DjangoCon US
coderanger
0
380
Swiss Army Django: Small Footprint ETL - DjangoCon US
coderanger
0
96
How to look at space: PyCon AU
coderanger
0
150
Swiss Army Django: Small Footprint ETL
coderanger
0
130
Swiss Army Django: Small Footprint ETL (with notes)
coderanger
0
110
Other Decks in Technology
See All in Technology
AI Agent SaaS を支える自社仮想化基盤への挑戦と実運用 / ai-agent-saas-virtualization
flatt_security
2
3k
次世代ランサムウェア対策の考察 / 20260704 Mitsutoshi Matsuo
shift_evolve
PRO
5
1.7k
環境凍結という Toil を倒す -セルフサービス型 Ephemeral テスト環境の 設計と実践
shirouz
1
1.5k
FinOps X 2026 Recap from Engineer Side #JapanFinOps
chacco38
0
270
AI時代における最適なQA組織の作り方
ymty
3
460
認証認可だけじゃない! ID管理の構成要素と ライフサイクルを意識しよう
ritou
1
520
金融の未来を考える / Thinking About the Future of Finance
ks91
PRO
0
180
知らん間に、回ってる
ming_ayami
0
320
SRE Lounge Hiroshimaへの招待
grimoh
0
410
ポストモーテム! DDoSからサイトは守れた。 でもビジネスは守れなかった。
bengo4com
0
1.8k
キャリアの中で本を作る / Making a Book During Your Career
ak1210
0
120
地域 SRE コミュニティ最前線 / SRE NEXT 2026 Discussion Night Track C
muziyoshiz
0
160
Featured
See All Featured
Mind Mapping
helmedeiros
PRO
1
280
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
52
6k
SEO Brein meetup: CTRL+C is not how to scale international SEO
lindahogenes
1
2.8k
AI Search: Implications for SEO and How to Move Forward - #ShenzhenSEOConference
aleyda
1
1.3k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
34
2.8k
Building a A Zero-Code AI SEO Workflow
portentint
PRO
0
630
Navigating the Design Leadership Dip - Product Design Week Design Leaders+ Conference 2024
apolaine
1
370
Technical Leadership for Architectural Decision Making
baasie
3
430
VelocityConf: Rendering Performance Case Studies
addyosmani
333
25k
DBのスキルで生き残る技術 - AI時代におけるテーブル設計の勘所
soudai
PRO
67
56k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
16
2k
The Director’s Chair: Orchestrating AI for Truly Effective Learning
tmiket
1
210
Transcript
Noah Kantrowitz Behind Closed Doors Managing Passwords in a Dangerous
World
Me • Chef-y dude • @kantrn / coderanger • Bloomberg
FOSS
Secrets
Definition • Small • Radioactive • Required
Secrets • Passwords • Tokens • Keys • Other
Passwords • Computer to computer • 1 to ~1024 bytes
• "Internal" or human-y
Tokens • "External" or API • Like passwords
Keys • Whole files • Bigger, chunkier
Other • Kerberos tickets • PCI log files • HIPAA
records
Temperature
Hot / Online • Autonomous access • Used a lot
• Humans need not apply
Cold / Offline • Used rarely • Humans required
Spectrum
Speed
Slow • "Static" • Change is "big" • Less safe
Fast • Changes constantly • Automatic rotation • More safe
Properties of a Secrets Management System
– Jerome Saltzer, Communications of the ACM “Every program and every
privileged user of the system should operate using the least amount of privilege necessary to complete the job.”
Properties • Least privilege • Audit trail
Let's do it!
$ echo "P@s5wd" > secret.txt $ git commit -a -m
"yolo!" $ git push origin master To
[email protected]
:me/myapp.git f35a8c0..c2f0adf master -> master
Attack Surfaces
Surfaces • Brute force • Code leak • Backup leak
• Traversal • Code exec • Root exec • Laptop theft • Higher power
Brute Force • Always be wary • Rate-limit, restrict, rotate
• Make it impossible
Code Leak • Read-only access • No data • "GitHub
oops"
Backup Leak • Still read-only • With database, et al
Traversal • /show?n=about • /show?n=../../passwd • /search?q=;select…
An Aside • Environment variables • Logged, inherited, etc •
Unsafe at any speed
Code Exec • Beyond app security • Infrastructure hygiene •
Service users
Root Exec Lasciate ogne speranza, voi ch'intrate
Laptop Theft • Use disk encryption • Rotate everything
Higher Power • Government • Advanced threat • Natural disaster
Cryptography
Symmetry • Symmetric vs asymmetric • Shared key vs pairs
• Public key not secret
Secret Symmetric Admin Server
Secret Symmetric Admin Server Key
Secret Encrypted Blob Symmetric Admin Server Key
Secret Encrypted Blob Symmetric Admin Server Key Key
Encrypted Blob Secret Encrypted Blob Symmetric Admin Server Key Key
Encrypted Blob Secret Encrypted Blob Secret Symmetric Admin Server Key
Key
Secret Asymmetric Admin Server
Secret Asymmetric Admin Server Key Pair
Secret Asymmetric Admin Server Public Key Key Pair
Secret Encrypted Blob Asymmetric Admin Server Public Key Key Pair
Encrypted Blob Secret Encrypted Blob Asymmetric Admin Server Public Key
Key Pair
Encrypted Blob Secret Secret Encrypted Blob Asymmetric Admin Server Public
Key Key Pair
Mode • Pre-encryption • Symmetric key distribution • Asymmetric key
identity • Trusted third party
Symmetric Pre Admin Servers Store
Symmetric Pre Admin Servers Store
Symmetric Pre Admin Servers Store
Symmetric Pre Admin Servers Store
Symmetric Pre Admin Servers Store
Symmetric Pre Admin Servers Store
Asymmetric Pre Admin Servers Store A B C
A B Asymmetric Pre Admin Servers Store A B C
A B Asymmetric Pre Admin Servers Store A B A
B C
A B Asymmetric Pre Admin Servers Store A B A
B A B C
A B A B Asymmetric Pre Admin Servers Store A
B A B A B C
A B A B B A Asymmetric Pre Admin Servers
Store A B A B A B C
A B A B B A Asymmetric Pre Admin Servers
Store A B A B A B C
Trusted Third Party Admin TTP Servers A B C D
Trusted Third Party B C Admin TTP Servers A B
C D
Trusted Third Party B C Admin TTP Servers A B
C D
Tools
Text Files • git add … • scp … •
Interns
git-crypt • Git file filter • Symmetric or asymmetric •
Footgun
Cluster Managers • ZooKeeper, Consul, Etcd • ACLs or bust
• Here be dragons
Chef Encrypted Bags • Symmetric, AES-256-GCM • Server vs git
• Turtles all the way down
Ansible Vault • AES-256-CTR + SHA-256 • Still turtles
Hiera Eyaml • PKCS7 (or GPG) • Trusted Third Party
Chef Vault • RSA(encrypted bags) • Asymmetric pre-encrypt • Kind
of still turtle-y
Hashicorp Vault • TTP service • New bar for fast
secrets • Modular design
Keywhiz • TTP • TLS keys, files • Battle tested
Private S3 • IAM roles • Complex policy • Easy
to get started
Amazon KMS • Kool-aid-tastic • Key escrow • Hosted encrypt/decrypt
Sneaker • KMS + S3 • Still kool
Confidant • KMS + DynamoDB • Web-based • Versioned w/
history
Trousseau • Asymmetric pre-encrypt • GPG + modular storage •
S3, GPG, GitHub
Sops • KMS or GPG • Manual storage
Red October • Cold secrets • N of M storage
Barbican Pining for the fjords
Conjur • And other closed source • Trust but verify
HSMs • TPMs otherwise $ $ $ • Dedicated hardware
• Bugs not unheard of
The Hard Problem
Identity • Who are you? • Who am I? •
Why are we in this hand basket?
Pure Identity • TLS client certificates • MySQL, Postgres •
Internal APIs
Integration
API Clients • Vault: HVAC, vault-rails • KMS: botocore, aws-sdk
HVAC # local_settings.py import hvac c = hvac.Client( url='https://vaultserver:8200') DATABASES
= { 'default': { # Other settings ... 'PASSWORD': c.read('secret/dbpass') } }
Config Management • Templates/commands • hiera-vault • Ruby/Python APIs
Chef # recipes/myapp.rb execute 'sneaker unpack ...' template 'local_settings.py' do
# Other properties ... variables pw: citadel['pw'] end
KeywhizFS • FUSE filesystem • Direct key usage • In-memory
Consul Templates • Standalone daemon • Sync Vault data to
files • CM → Templates → files
envconsul • Vault data in $ENV • Beware of logging
Summon • Secrets in $ENV • Modular providers • S3,
Keyring, Conjur
In Summary • Check your privilege and audit trail •
Pick types and temperatures • Think about attack surfaces • Have a disaster plan
Thank You
Questions? @kantrn coderanger.net