Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Managing Secrets at Scale (Devoxx Morocco 2016)

Avatar for Mark Paluch Mark Paluch
November 02, 2016

Managing Secrets at Scale (Devoxx Morocco 2016)

Slides of the talk I gave at Devoxx Morocco, 2016.

Avatar for Mark Paluch

Mark Paluch

November 02, 2016
Tweet

More Decks by Mark Paluch

Other Decks in Technology

Transcript

  1. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Mark Paluch @mp911de github.com/mp911de paluch.biz
  2. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ TomEE 4 <Resource id="MySQL Database" type="DataSource"> UserName test Password xMH5uM1V9vQzVUv5LG7YLA== PasswordCipher Static3DES </Resource>
  3. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Vault Project § Secure storages § Sealing/Unsealing § Multiple authentication mechanisms § Multiple secret backends § ACL/policies § HA § HTTP API 10
  4. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Vault Project: Editions § Secret storage § Tokens and access control policies § Dynamic secrets with leasing and revocation § Key rolling § Audit logs 11 § HSM § 24x7x365 Phone and Email Support Community Enterprise
  5. Unless otherwise indicated, these slides are 
 © 2013-2016 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Start and initialize Vault Demo
  6. Unless otherwise indicated, these slides are 
 © 2013-2016 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Storing/Loading generic secrets Demo
  7. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Authentication methods § Token § Username/password § LDAP § GitHub Token
 § MFA (Duo) § TLS Certificates § App ID § AppRole § AWS EC2 13
  8. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 15 1 Operator configures AppRole 2 Store RoleID in App configuration 3 Obtain SecretId 4 App start: Vault login with AppId and UserId AppRole
  9. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 16 1 Retrieve PKCS#7 identity document 2 Vault Login (PKCS#7 + nonce) 3 Vault: EC2 Instance check (EC2 API) AWS-EC2
  10. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 17 1 Create ephemeral and permanent tokens 2 Store ephemeral token in App configuration 3 App Start: Retrieve permanent token from Cubbyhole Cubbyhole
  11. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Operation hints § Use SSL § Use SSL § Keep unseal keys secret § Operate in High-Availability setup X
  12. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Secret Backends § AWS § Cassandra § Consul § MySQL/MSSSQL/PostgreSQL § MongoDB § PKI § RabbitMQ 18
  13. Unless otherwise indicated, these slides are 
 © 2013-2016 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Cloud Vault Config Demo
  14. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Resources § Vault: vaultproject.io § Code: github.com/spring-cloud-incubator/spring-cloud-vault-config § Samples: github.com/mp911de/spring-cloud-vault-config-samples § Slides: mp911.de/dmsas 22