Taming secrets with Vault

Transcript

1. Taming secrets with Vault Jérémy Courtial - Software Security Architect


   Oodrive

2. Secrets & Sensitive data

3. zookeeper: hosts: zk.services.net environment: dev datasource: driverClassName: org.postgresql.Driver username: tk_user

   password: qS5Ji;*bY*pX,94~gepF management: enabled: true context-path: /manage health: enabled: true master-key: YXplcnR5dWlvcHFzZGZnaGprbG13eGN2Ym4sOzo9QCMK server: port: 8080

4. zookeeper: hosts: zk.services.net environment: dev datasource: driverClassName: org.postgresql.Driver username: tk_user

   password: qS5Ji;*bY*pX,94~gepF management: enabled: true context-path: /manage health: enabled: true master-key: YXplcnR5dWlvcHFzZGZnaGprbG13eGN2Ym4sOzo9QCMK server: port: 8080

5. Why bother?

6. Traditional security

7. Traditional security

8. Trusted network Traditional security

9. Trusted network def this_is_fine eval(someStr) end Traditional security

10. Traditional security

11. "I’m simply saying that hackers, uh… finds a way." Dr.

    Ian Malcolm

12. Defense in depth Don't rely on a single line of

    defense

13. Defense in depth Don't assume threats stop at the gateway

14. Defense in depth Try smaller trust boundaries

15. From..

16. To…

17. To…

18. CPU RAM root To… Secrets go here persistent storage users

    network?

19. Traceability & Management

20. Where are our secrets?

21. Who can access them?

22. When are they accessed?

23. How do we rotate them?

24. We want those answers BEFORE we need them

25. The right tool SCM? Configuration management? Secrets management tool

26. Lots of secrets management tools nowadays Keywhiz (Square) Confidant (Lyft)

    KMS (Amazon) Docker Secret

27. Open Source Multiple storage backends Standalone microservice API & CLI

    High availability Encryption-as-a-Service Multiple types of secrets Audit friendly Authentication & Authorization

28. Demo

29. $ vault write secret/srvA/credentials pwd=azerty Success! Data written to: secret/srvA/credentials

30. $ vault read secret/srvA/credentials Key Value --- ----- refresh_interval 768h0m0s

    pwd azerty

31. $ vault read /sys/policy/my-service-A path "secret/srvA/*" { capabilities = ["read"]

    }

32. $ curl https://vault01/v1/secret/srvA/credentials 
 -H 'X-Vault-Token:…' { "request_id": "f9e9b545-c624-ebbb-1dbd- d35e1074a478",

    "lease_id": "", "renewable": false, "lease_duration": 2764800, "data": { "pwd": "azerty" …

33. Protecting secrets
 Turtles all the way down

34. Secrets are encrypted at rest How does Vault protect secrets?

35. Encryption keys only live in memory How does Vault protect

    secrets?

36. How to obtain the Master Key? How does Vault protect

    secrets?

37. Master key split in N shards K shards required Vault

    sealed until a quorum is reached Shamir secret sharing

38. How do apps access secrets? Ask Vault at runtime Need

    an authentication token How to pass the token to the app?

39. Secure introduction Secure distribution Short token lifetime Access detection

40. Scheduler Vault Service A

41. Generate wrapped token Policy: app_front Scheduler Vault Service A

42. Generate wrapped token Policy: app_front Scheduler Vault Service A wrapping_token:

    wrap-token ttl: 1min num_use: 1 wrapped_token: app-token policy:app_front

43. wrapping_token: wrap-token ttl: 1min num_use: 1 wrapped_token: app-token policy:app_front token:

    wrap-token num_use: 1 ttl: 1min Scheduler Vault Service A

44. Deploy / Start token: wrap-token num_use: 1 ttl: 1min wrapping_token:

    wrap-token ttl: 1min num_use: 1 wrapped_token: app-token policy:app_front Scheduler Vault Service A

45. token: wrap-token num_use: 1 ttl: 1min Unwrap wrapping_token: wrap-token ttl:

    1min num_use: 1 wrapped_token: app-token policy:app_front Scheduler Vault Service A

46. client_token: app-token policy:app_front Scheduler Vault Service A

47. token: app-token Read secret Scheduler Vault Service A

48. Secure introduction X X X Secure distribution Short token lifetime

    Access detection

49. Vault @ Oodrive

50. Vault @ Oodrive One service in staging ZooKeeper as storage

    backend "Good enough" introduction

51. Challenges @ Oodrive Ongoing transition to an orchestrated architecture

52. Challenges @ Oodrive For now: Puppet. 
 No scheduler.

53. Challenges @ Oodrive Don't want to break
 everything twice

54. Challenges @ Oodrive Puppet Server and init script as "scheduler"

55. Challenges @ Oodrive Leverage existing Puppet authentication

56. VaultClient client = new Builder(vaultUri) .withTokenAuth(token) .build(); Credentials cred =

    client.readSecret( "secret/my-service/db-credentials", Credentials.class); Vanilla Java Client

57. @SecretPath("credentials") Secret<Credentials> credentialsSecret; … Credentials cred = credentialsSecret.getValue(); Spring

58. Hopefully to be open sourced

59. Best practices

60. Least Privilege all the way!

61. Vault as single secrets repository

62. Secrets grouped under service name

63. Use roles for easier management

64. Enable ACL on ZooKeeper

65. Next steps Fully secure introduction Dynamic secrets (db credentials) Vault

    as internal PKI

66. Thanks Questions? To win!