Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Taming secrets with Vault
Search
Sponsored
·
SiteGround - Reliable hosting with speed, security, and support you can count on.
→
Jérémy Courtial
June 13, 2017
Programming
0
87
Taming secrets with Vault
Video:
https://www.youtube.com/watch?v=fZDd4-McNSU
Jérémy Courtial
June 13, 2017
Tweet
Share
More Decks by Jérémy Courtial
See All by Jérémy Courtial
sudo give the cloud
mrartichaut
0
27
An introduction to AppSec?
mrartichaut
0
47
Secure by design: introduction to threat modeling
mrartichaut
0
53
Lead Tech: Empowering the team
mrartichaut
0
48
Web Platform Security
mrartichaut
0
48
go doSomeThing()
mrartichaut
0
53
Practical Cryptography : Data Encryption
mrartichaut
0
62
Practical Cryptography : Password Hashing
mrartichaut
1
74
HTTP/2 : One connection to rule them all
mrartichaut
1
62
Other Decks in Programming
See All in Programming
猫の手も借りたい!ので AIエージェント猫を作って社内に放した話 Claude Code × Container Lambda の Slack Bot "DevNeko"
naramomi7
0
260
AHC061解説
shun_pi
0
350
AI主導でFastAPIのWebサービスを作るときに 人間が構造化すべき境界線
okajun35
0
680
PJのドキュメントを全部Git管理にしたら、一番喜んだのはAIだった
nanaism
0
250
DSPy入門 Pythonで実現する自動プロンプト最適化 〜人手によるプロンプト調整からの卒業〜
seaturt1e
1
660
API Platformを活用したPHPによる本格的なWeb API開発 / api-platform-book-intro
ttskch
1
130
受け入れテスト駆動開発(ATDD)×AI駆動開発 AI時代のATDDの取り組み方を考える
kztakasaki
2
550
ふつうのRubyist、ちいさなデバイス、大きな一年 / Ordinary Rubyists, Tiny Devices, Big Year
chobishiba
1
430
ふつうの Rubyist、ちいさなデバイス、大きな一年
bash0c7
0
810
AIコードレビューの導入・運用と AI駆動開発における「AI4QA」の取り組みについて
hagevvashi
0
400
守る「だけ」の優しいEMを抜けて、 事業とチームを両方見る視点を身につけた話
maroon8021
3
690
モジュラモノリスにおける境界をGoのinternalパッケージで守る
magavel
0
3.5k
Featured
See All Featured
Rails Girls Zürich Keynote
gr2m
96
14k
Collaborative Software Design: How to facilitate domain modelling decisions
baasie
0
150
Designing for Timeless Needs
cassininazir
0
160
The Director’s Chair: Orchestrating AI for Truly Effective Learning
tmiket
1
130
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
128
55k
What’s in a name? Adding method to the madness
productmarketing
PRO
24
4k
How GitHub (no longer) Works
holman
316
140k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
254
22k
Become a Pro
speakerdeck
PRO
31
5.8k
DBのスキルで生き残る技術 - AI時代におけるテーブル設計の勘所
soudai
PRO
62
51k
Information Architects: The Missing Link in Design Systems
soysaucechin
0
820
Why Your Marketing Sucks and What You Can Do About It - Sophie Logan
marketingsoph
0
100
Transcript
Taming secrets with Vault Jérémy Courtial - Software Security Architect
Oodrive
Secrets & Sensitive data
zookeeper: hosts: zk.services.net environment: dev datasource: driverClassName: org.postgresql.Driver username: tk_user
password: qS5Ji;*bY*pX,94~gepF management: enabled: true context-path: /manage health: enabled: true master-key: YXplcnR5dWlvcHFzZGZnaGprbG13eGN2Ym4sOzo9QCMK server: port: 8080
zookeeper: hosts: zk.services.net environment: dev datasource: driverClassName: org.postgresql.Driver username: tk_user
password: qS5Ji;*bY*pX,94~gepF management: enabled: true context-path: /manage health: enabled: true master-key: YXplcnR5dWlvcHFzZGZnaGprbG13eGN2Ym4sOzo9QCMK server: port: 8080
Why bother?
Traditional security
Traditional security
Trusted network Traditional security
Trusted network def this_is_fine eval(someStr) end Traditional security
Traditional security
"I’m simply saying that hackers, uh… finds a way." Dr.
Ian Malcolm
Defense in depth Don't rely on a single line of
defense
Defense in depth Don't assume threats stop at the gateway
Defense in depth Try smaller trust boundaries
From..
To…
To…
CPU RAM root To… Secrets go here persistent storage users
network?
Traceability & Management
Where are our secrets?
Who can access them?
When are they accessed?
How do we rotate them?
We want those answers BEFORE we need them
The right tool SCM? Configuration management? Secrets management tool
Lots of secrets management tools nowadays Keywhiz (Square) Confidant (Lyft)
KMS (Amazon) Docker Secret
Open Source Multiple storage backends Standalone microservice API & CLI
High availability Encryption-as-a-Service Multiple types of secrets Audit friendly Authentication & Authorization
Demo
$ vault write secret/srvA/credentials pwd=azerty Success! Data written to: secret/srvA/credentials
$ vault read secret/srvA/credentials Key Value --- ----- refresh_interval 768h0m0s
pwd azerty
$ vault read /sys/policy/my-service-A path "secret/srvA/*" { capabilities = ["read"]
}
$ curl https://vault01/v1/secret/srvA/credentials -H 'X-Vault-Token:…' { "request_id": "f9e9b545-c624-ebbb-1dbd- d35e1074a478",
"lease_id": "", "renewable": false, "lease_duration": 2764800, "data": { "pwd": "azerty" …
Protecting secrets Turtles all the way down
Secrets are encrypted at rest How does Vault protect secrets?
Encryption keys only live in memory How does Vault protect
secrets?
How to obtain the Master Key? How does Vault protect
secrets?
Master key split in N shards K shards required Vault
sealed until a quorum is reached Shamir secret sharing
How do apps access secrets? Ask Vault at runtime Need
an authentication token How to pass the token to the app?
Secure introduction Secure distribution Short token lifetime Access detection
Scheduler Vault Service A
Generate wrapped token Policy: app_front Scheduler Vault Service A
Generate wrapped token Policy: app_front Scheduler Vault Service A wrapping_token:
wrap-token ttl: 1min num_use: 1 wrapped_token: app-token policy:app_front
wrapping_token: wrap-token ttl: 1min num_use: 1 wrapped_token: app-token policy:app_front token:
wrap-token num_use: 1 ttl: 1min Scheduler Vault Service A
Deploy / Start token: wrap-token num_use: 1 ttl: 1min wrapping_token:
wrap-token ttl: 1min num_use: 1 wrapped_token: app-token policy:app_front Scheduler Vault Service A
token: wrap-token num_use: 1 ttl: 1min Unwrap wrapping_token: wrap-token ttl:
1min num_use: 1 wrapped_token: app-token policy:app_front Scheduler Vault Service A
client_token: app-token policy:app_front Scheduler Vault Service A
token: app-token Read secret Scheduler Vault Service A
Secure introduction X X X Secure distribution Short token lifetime
Access detection
Vault @ Oodrive
Vault @ Oodrive One service in staging ZooKeeper as storage
backend "Good enough" introduction
Challenges @ Oodrive Ongoing transition to an orchestrated architecture
Challenges @ Oodrive For now: Puppet. No scheduler.
Challenges @ Oodrive Don't want to break everything twice
Challenges @ Oodrive Puppet Server and init script as "scheduler"
Challenges @ Oodrive Leverage existing Puppet authentication
VaultClient client = new Builder(vaultUri) .withTokenAuth(token) .build(); Credentials cred =
client.readSecret( "secret/my-service/db-credentials", Credentials.class); Vanilla Java Client
@SecretPath("credentials") Secret<Credentials> credentialsSecret; … Credentials cred = credentialsSecret.getValue(); Spring
Hopefully to be open sourced
Best practices
Least Privilege all the way!
Vault as single secrets repository
Secrets grouped under service name
Use roles for easier management
Enable ACL on ZooKeeper
Next steps Fully secure introduction Dynamic secrets (db credentials) Vault
as internal PKI
Thanks Questions? To win!
SiteGround - Reliable hosting with speed, security, and support you can count on.
mrartichaut
naramomi7
shun_pi
okajun35
nanaism
seaturt1e
ttskch
kztakasaki
chobishiba
bash0c7
hagevvashi
maroon8021
magavel
gr2m
baasie
cassininazir
tmiket
aki_iinuma
productmarketing
holman
smashingmag
speakerdeck
soudai
soysaucechin
marketingsoph
![$ vault read /sys/policy/my-service-A path "secret/srvA/*" { capabilities = ["read"]](https://files.speakerdeck.com/presentations/2369a92315ef433284144ccb7c9b9d5a/slide_30.jpg){kind=link}
