Managing Secrets at Scale (Devoxx Morocco 2016)

Transcript

1. Managing Secrets at Scale Mark Paluch @mp911de paluch.biz spring.io #devoxxma

2. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

   Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Mark Paluch @mp911de github.com/mp911de paluch.biz
3. None

4. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

   Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ TomEE 4 <Resource id="MySQL Database" type="DataSource"> UserName test Password xMH5uM1V9vQzVUv5LG7YLA== PasswordCipher Static3DES </Resource>

5. https://www.flickr.com/photos/dahlstroms/4188244058

6. None

7. https://www.flickr.com/photos/nateone/5456129071

8. None
9. None

10. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Vault Project § Secure storages § Sealing/Unsealing § Multiple authentication mechanisms § Multiple secret backends § ACL/policies § HA § HTTP API 10

11. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Vault Project: Editions § Secret storage § Tokens and access control policies § Dynamic secrets with leasing and revocation § Key rolling § Audit logs 11 § HSM § 24x7x365 Phone and Email Support Community Enterprise

12. Unless otherwise indicated, these slides are 
 © 2013-2016 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Start and initialize Vault Demo

13. Unless otherwise indicated, these slides are 
 © 2013-2016 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Storing/Loading generic secrets Demo

14. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Authentication methods § Token § Username/password § LDAP § GitHub Token
 § MFA (Duo) § TLS Certificates § App ID § AppRole § AWS EC2 13

15. https://www.flickr.com/photos/kristencavanaugh/10710047746

16. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 15 1 Operator configures AppRole 2 Store RoleID in App configuration 3 Obtain SecretId 4 App start: Vault login with AppId and UserId AppRole

17. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 16 1 Retrieve PKCS#7 identity document 2 Vault Login (PKCS#7 + nonce) 3 Vault: EC2 Instance check (EC2 API) AWS-EC2

18. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 17 1 Create ephemeral and permanent tokens 2 Store ephemeral token in App configuration 3 App Start: Retrieve permanent token from Cubbyhole Cubbyhole

19. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Operation hints § Use SSL § Use SSL § Keep unseal keys secret § Operate in High-Availability setup X

20. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Secret Backends § AWS § Cassandra § Consul § MySQL/MSSSQL/PostgreSQL § MongoDB § PKI § RabbitMQ 18

21. Unless otherwise indicated, these slides are 
 © 2013-2016 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Cloud Vault Config Demo

22. + 1.0.0 M1

23. Feedback welcome

24. Unless otherwise indicated, these slides are © 2013-2016 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Resources § Vault: vaultproject.io § Code: github.com/spring-cloud-incubator/spring-cloud-vault-config § Samples: github.com/mp911de/spring-cloud-vault-config-samples § Slides: mp911.de/dmsas 22

25. Learn More. Stay Connected. Twitter: @mp911de Github: github.com/mp911de Website: paluch.biz