Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Behind Closed Doors: Managing Passwords in a Da...
Search
Noah Kantrowitz
April 27, 2016
Technology
0
3.4k
Behind Closed Doors: Managing Passwords in a Dangerous World
Noah Kantrowitz
April 27, 2016
Tweet
Share
More Decks by Noah Kantrowitz
See All by Noah Kantrowitz
What Python Can Learn From Other Languages
coderanger
0
60
What Python Can Learn From Other Languages (with notes)
coderanger
0
160
Swiss Army Django: Small Footprint ETL (with notes) - DjangoCon US
coderanger
0
220
Swiss Army Django: Small Footprint ETL - DjangoCon US
coderanger
0
58
How to look at space: PyCon AU
coderanger
0
100
Swiss Army Django: Small Footprint ETL
coderanger
0
90
Swiss Army Django: Small Footprint ETL (with notes)
coderanger
0
82
Minimum Viable Kubernetes
coderanger
0
37
Minimum Viable Kubernetes (with notes)
coderanger
0
440
Other Decks in Technology
See All in Technology
生成AI時代 文字コードを学ぶ意義を見出せるか?
hrsued
1
780
20250707-AI活用の個人差を埋めるチームづくり
shnjtk
3
3k
生成AI開発案件におけるClineの業務活用事例とTips
shinya337
0
220
Connect 100+を支える技術
kanyamaguc
0
180
Flutter向けPDFビューア、pdfrxのpdfium WASM対応について
espresso3389
0
120
20250705 Headlamp: 專注可擴展性的 Kubernetes 用戶界面
pichuang
0
190
第4回Snowflake 金融ユーザー会 Snowflake summit recap
tamaoki
0
200
AIの全社活用を推進するための安全なレールを敷いた話
shoheimitani
2
310
fukabori.fm 出張版: 売上高617億円と高稼働率を陰で支えた社内ツール開発のあれこれ話 / 20250704 Yoshimasa Iwase & Tomoo Morikawa
shift_evolve
PRO
2
6.1k
React開発にStorybookとCopilotを導入して、爆速でUIを編集・確認する方法
yu_kod
1
140
Geminiとv0による高速プロトタイピング
shinya337
0
230
Zero Data Loss Autonomous Recovery Service サービス概要
oracle4engineer
PRO
2
7.7k
Featured
See All Featured
Typedesign – Prime Four
hannesfritz
42
2.7k
How GitHub (no longer) Works
holman
314
140k
Fantastic passwords and where to find them - at NoRuKo
philnash
51
3.3k
BBQ
matthewcrist
89
9.7k
Automating Front-end Workflow
addyosmani
1370
200k
Faster Mobile Websites
deanohume
307
31k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
507
140k
How To Stay Up To Date on Web Technology
chriscoyier
790
250k
Bootstrapping a Software Product
garrettdimon
PRO
307
110k
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.4k
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
18
960
Building an army of robots
kneath
306
45k
Transcript
Noah Kantrowitz Behind Closed Doors Managing Passwords in a Dangerous
World
Me • Chef-y dude • @kantrn / coderanger • Bloomberg
FOSS
Secrets
Definition • Small • Radioactive • Required
Secrets • Passwords • Tokens • Keys • Other
Passwords • Computer to computer • 1 to ~1024 bytes
• "Internal" or human-y
Tokens • "External" or API • Like passwords
Keys • Whole files • Bigger, chunkier
Other • Kerberos tickets • PCI log files • HIPAA
records
Temperature
Hot / Online • Autonomous access • Used a lot
• Humans need not apply
Cold / Offline • Used rarely • Humans required
Spectrum
Speed
Slow • "Static" • Change is "big" • Less safe
Fast • Changes constantly • Automatic rotation • More safe
Properties of a Secrets Management System
– Jerome Saltzer, Communications of the ACM “Every program and every
privileged user of the system should operate using the least amount of privilege necessary to complete the job.”
Properties • Least privilege • Audit trail
Let's do it!
$ echo "P@s5wd" > secret.txt $ git commit -a -m
"yolo!" $ git push origin master To
[email protected]
:me/myapp.git f35a8c0..c2f0adf master -> master
Attack Surfaces
Surfaces • Brute force • Code leak • Backup leak
• Traversal • Code exec • Root exec • Laptop theft • Higher power
Brute Force • Always be wary • Rate-limit, restrict, rotate
• Make it impossible
Code Leak • Read-only access • No data • "GitHub
oops"
Backup Leak • Still read-only • With database, et al
Traversal • /show?n=about • /show?n=../../passwd • /search?q=;select…
An Aside • Environment variables • Logged, inherited, etc •
Unsafe at any speed
Code Exec • Beyond app security • Infrastructure hygiene •
Service users
Root Exec Lasciate ogne speranza, voi ch'intrate
Laptop Theft • Use disk encryption • Rotate everything
Higher Power • Government • Advanced threat • Natural disaster
Cryptography
Symmetry • Symmetric vs asymmetric • Shared key vs pairs
• Public key not secret
Secret Symmetric Admin Server
Secret Symmetric Admin Server Key
Secret Encrypted Blob Symmetric Admin Server Key
Secret Encrypted Blob Symmetric Admin Server Key Key
Encrypted Blob Secret Encrypted Blob Symmetric Admin Server Key Key
Encrypted Blob Secret Encrypted Blob Secret Symmetric Admin Server Key
Key
Secret Asymmetric Admin Server
Secret Asymmetric Admin Server Key Pair
Secret Asymmetric Admin Server Public Key Key Pair
Secret Encrypted Blob Asymmetric Admin Server Public Key Key Pair
Encrypted Blob Secret Encrypted Blob Asymmetric Admin Server Public Key
Key Pair
Encrypted Blob Secret Secret Encrypted Blob Asymmetric Admin Server Public
Key Key Pair
Mode • Pre-encryption • Symmetric key distribution • Asymmetric key
identity • Trusted third party
Symmetric Pre Admin Servers Store
Symmetric Pre Admin Servers Store
Symmetric Pre Admin Servers Store
Symmetric Pre Admin Servers Store
Symmetric Pre Admin Servers Store
Symmetric Pre Admin Servers Store
Asymmetric Pre Admin Servers Store A B C
A B Asymmetric Pre Admin Servers Store A B C
A B Asymmetric Pre Admin Servers Store A B A
B C
A B Asymmetric Pre Admin Servers Store A B A
B A B C
A B A B Asymmetric Pre Admin Servers Store A
B A B A B C
A B A B B A Asymmetric Pre Admin Servers
Store A B A B A B C
A B A B B A Asymmetric Pre Admin Servers
Store A B A B A B C
Trusted Third Party Admin TTP Servers A B C D
Trusted Third Party B C Admin TTP Servers A B
C D
Trusted Third Party B C Admin TTP Servers A B
C D
Tools
Text Files • git add … • scp … •
Interns
git-crypt • Git file filter • Symmetric or asymmetric •
Footgun
Cluster Managers • ZooKeeper, Consul, Etcd • ACLs or bust
• Here be dragons
Chef Encrypted Bags • Symmetric, AES-256-GCM • Server vs git
• Turtles all the way down
Ansible Vault • AES-256-CTR + SHA-256 • Still turtles
Hiera Eyaml • PKCS7 (or GPG) • Trusted Third Party
Chef Vault • RSA(encrypted bags) • Asymmetric pre-encrypt • Kind
of still turtle-y
Hashicorp Vault • TTP service • New bar for fast
secrets • Modular design
Keywhiz • TTP • TLS keys, files • Battle tested
Private S3 • IAM roles • Complex policy • Easy
to get started
Amazon KMS • Kool-aid-tastic • Key escrow • Hosted encrypt/decrypt
Sneaker • KMS + S3 • Still kool
Confidant • KMS + DynamoDB • Web-based • Versioned w/
history
Trousseau • Asymmetric pre-encrypt • GPG + modular storage •
S3, GPG, GitHub
Sops • KMS or GPG • Manual storage
Red October • Cold secrets • N of M storage
Barbican Pining for the fjords
Conjur • And other closed source • Trust but verify
HSMs • TPMs otherwise $ $ $ • Dedicated hardware
• Bugs not unheard of
The Hard Problem
Identity • Who are you? • Who am I? •
Why are we in this hand basket?
Pure Identity • TLS client certificates • MySQL, Postgres •
Internal APIs
Integration
API Clients • Vault: HVAC, vault-rails • KMS: botocore, aws-sdk
HVAC # local_settings.py import hvac c = hvac.Client( url='https://vaultserver:8200') DATABASES
= { 'default': { # Other settings ... 'PASSWORD': c.read('secret/dbpass') } }
Config Management • Templates/commands • hiera-vault • Ruby/Python APIs
Chef # recipes/myapp.rb execute 'sneaker unpack ...' template 'local_settings.py' do
# Other properties ... variables pw: citadel['pw'] end
KeywhizFS • FUSE filesystem • Direct key usage • In-memory
Consul Templates • Standalone daemon • Sync Vault data to
files • CM → Templates → files
envconsul • Vault data in $ENV • Beware of logging
Summon • Secrets in $ENV • Modular providers • S3,
Keyring, Conjur
In Summary • Check your privilege and audit trail •
Pick types and temperatures • Think about attack surfaces • Have a disaster plan
Thank You
Questions? @kantrn coderanger.net