Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Managing Secrets at Scale (Devoxx Morocco 2016)

Mark Paluch
November 02, 2016

Managing Secrets at Scale (Devoxx Morocco 2016)

Slides of the talk I gave at Devoxx Morocco, 2016.

Mark Paluch

November 02, 2016
Tweet

More Decks by Mark Paluch

Other Decks in Technology

Transcript

  1. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Mark Paluch @mp911de github.com/mp911de paluch.biz
  2. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ TomEE 4 <Resource id="MySQL Database" type="DataSource"> UserName test Password xMH5uM1V9vQzVUv5LG7YLA== PasswordCipher Static3DES </Resource>
  3. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Vault Project § Secure storages § Sealing/Unsealing § Multiple authentication mechanisms § Multiple secret backends § ACL/policies § HA § HTTP API 10
  4. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Vault Project: Editions § Secret storage § Tokens and access control policies § Dynamic secrets with leasing and revocation § Key rolling § Audit logs 11 § HSM § 24x7x365 Phone and Email Support Community Enterprise
  5. Unless otherwise indicated, these slides are 
 © 2013-2016 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Start and initialize Vault Demo
  6. Unless otherwise indicated, these slides are 
 © 2013-2016 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Storing/Loading generic secrets Demo
  7. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Authentication methods § Token § Username/password § LDAP § GitHub Token
 § MFA (Duo) § TLS Certificates § App ID § AppRole § AWS EC2 13
  8. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 15 1 Operator configures AppRole 2 Store RoleID in App configuration 3 Obtain SecretId 4 App start: Vault login with AppId and UserId AppRole
  9. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 16 1 Retrieve PKCS#7 identity document 2 Vault Login (PKCS#7 + nonce) 3 Vault: EC2 Instance check (EC2 API) AWS-EC2
  10. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 17 1 Create ephemeral and permanent tokens 2 Store ephemeral token in App configuration 3 App Start: Retrieve permanent token from Cubbyhole Cubbyhole
  11. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Operation hints § Use SSL § Use SSL § Keep unseal keys secret § Operate in High-Availability setup X
  12. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Secret Backends § AWS § Cassandra § Consul § MySQL/MSSSQL/PostgreSQL § MongoDB § PKI § RabbitMQ 18
  13. Unless otherwise indicated, these slides are 
 © 2013-2016 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Cloud Vault Config Demo
  14. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Resources § Vault: vaultproject.io § Code: github.com/spring-cloud-incubator/spring-cloud-vault-config § Samples: github.com/mp911de/spring-cloud-vault-config-samples § Slides: mp911.de/dmsas 22