Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securely Managing Secrets with Vault

Mark Paluch
February 23, 2017

Securely Managing Secrets with Vault

Slides of the talk I gave at Devnexus 2017

Mark Paluch

February 23, 2017
Tweet

More Decks by Mark Paluch

Other Decks in Technology

Transcript

  1. Securely Managing Secrets with Vault Unless otherwise indicated, these slides

    are © 2013-2016 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Mark Paluch, Pivotal Software Inc., @mp911de
  2. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ What is Security? ! Security is the practice of risk management • Deciding which risks can be accepted • Guarding against violation ! Risk increases with system complexity 2
  3. Exposure ! An exposed secret is a threat ! May

    cause harm ! Probability increases over time
  4. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Trust ! Trusted entity will not divulge secrets 9 You Me 3rd Party Producer Hop Hop Consumer Circle of Trust Chain of Trust
  5. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Goals ! Minimize risk at any given trust link • Minimize risk of exposure ! Get a secret securely from producer to consumer • Still, assume secrets may get eventually divulged 10
  6. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Vault Project ! Secure storage ! Encryption ! HA ! HTTP API 12
  7. Unless otherwise indicated, these slides are 
 © 2013-2017 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Start and initialize Vault Demo
  8. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Secret sprawl ! Secrets are distributed in a distributed system ! Limit access ! Audit when a secret was accessed by who ! Discover breach 14
  9. Unless otherwise indicated, these slides are 
 © 2013-2017 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Storing/Loading generic secrets Demo
  10. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Lease and Expiry ! Probability of secret exposure increases over time ! Ephemeral secrets ! Rotation ! Expiration ! Revocation ! Built-in „Break Glass“ procedure 16
  11. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Dynamic Secret Backends ! AWS ! Cassandra ! Consul ! MySQL/MSSSQL/PostgreSQL ! MongoDB ! PKI ! RabbitMQ 17
  12. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Authentication methods ! Token ! Username/password ! LDAP ! GitHub Token
 ! MFA (Duo) ! TLS Certificates ! App ID ! AppRole ! AWS EC2 19
  13. +

  14. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Application requirements ! Access databases and services ! Rotate credentials ! Deal with encryption 21
  15. Unless otherwise indicated, these slides are 
 © 2013-2017 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Using Spring Vault Demo
  16. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Vault ! Spring 4, Java 1.6 ! Machine authentication ! Property sources ! Encryption 23
  17. Unless otherwise indicated, these slides are 
 © 2013-2017 Pivotal

    Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Using Spring Cloud Vault Demo
  18. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Spring Cloud Vault ! Spring Boot Integration ! Using Spring Vault ! Property sources ! Lease renewal ! Database & service integrations 25
  19. Unless otherwise indicated, these slides are © 2013-2017 Pivotal Software,

    Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ Resources ! Vault: vaultproject.io ! Samples: github.com/mp911de/spring-cloud-vault-config-samples ! Code: Github spring-projects/spring-vault and 
 spring-cloud/spring-cloud-vault-config ! Slides: mp911.de/sdnx17 27