Can You Keep a Secret?

Can You Keep a Secret DrupalSouth 2017 - Auckland

Nick Santamaria • Drupal developer since 2006 • SysOps Engineer
at PreviousNext • HashiCorp fanboi • @nicksanta • drupal.org/user/87915

Secret Management Crash Course

Are you in the right place?

What are Secrets?

Passwords • Database • Cache Backend • Search Index •
Document Store

API Keys • Cloud Platform • Payment Processor • Email
Marketing • CI / CD Pipeline

Cryptographic Keys • SSH Key Pairs • TLS Certificates •
AES Encryption Keys

Kinda-but-not-really Secrets • Financial Credentials • Confidential Data • Personally
Identifiable Information (PII)

Telling Secrets to the Application

Stored in Repo

Stored in Database

Placed by Config Management • Puppet • Ansible • CloudFormation
• Terraform Variation Complication Baked into AMI AMI per security boundary Encrypted secrets in code Orchestrating key distribution

Hand Crafted Config

So What's the Problem?

"Secret Sprawl"

Impossible to Audit

Difficulty Rotating Keys

What Happens When You're Compromised?

Secret Management The Solution

Secret Management SOLUTION Centralise storage PROBLEM "Secret Sprawl"

Secret Management SOLUTION Authentication layer Standardised policy framework PROBLEM Who
has access?

Secret Management SOLUTION Audit logs PROBLEM Who accessed what and
when did they do it?

SOLUTION Centralised storage Leases Dynamic secrets Secret Management PROBLEM Rotating
secrets is time consuming and error prone

SOLUTION Well-defined "break-glass" procedure Secret Management PROBLEM

Drupal Recipes

Store API Tokens in Lockr Recipe #1

Setup - Services • Lockr - lockr.io • MailChimp -
mailchimp.com

Setup - Code • Drupal 8.4 • drupal.org/project/mailchimp • drupal.org/project/lockr
• drupal.org/project/key ◦ ^1.4 (1.x-dev for now)

Config Export - Before api_key: 8b777e6f871ae009da60c54db84b7eb621a296d9 cron: false batch_limit: 100
api_classname: Mailchimp\Mailchimp test_mode: false drupal-project / config-export / mailchimp.settings.yml

Config Export - After api_key: null cron: false batch_limit: 100
api_classname: Mailchimp\Mailchimp test_mode: false drupal-project / config-export / mailchimp.settings.yml ←

Config Export - After dependencies: module: - lockr - mailchimp
id: mailchimp_token label: 'MailChimp Token' description: 'API token for mailchimp integration' key_provider: lockr key_provider_settings: encoded: aes-128-ctr-sha256$nHlAw2BcTCHVTGQ01kDe9psWgItkrZ55qY4xV36BbGo=$+xgMdEzk6lsDy21h9j…. key_input: text_field drupal-project / config-export / key.key.mailchimp_token.yml } Key safely stored in lockr storage provider

Config Export - After status: true dependencies: config: - key.key.mailchimp_token
- mailchimp.settings id: mailchimp_api label: 'MailChimp API' config_type: system.simple config_name: mailchimp.settings config_item: api_key key_id: mailchimp_token drupal-project / config-export / key.config_override.mailchimp_token.yml } mailchimp.api_key config now overridden by key.repository.mailchimp_token

• Attackers can't obtain API keys from ◦ DB leaks
◦ Codebase leaks ◦ Stolen developer machine Advantages

Encrypt Fields with KMS Recipe #2

Setup - Services • AWS • IAM User • KMS
Key

Setup - Code • Drupal 8.4 • drupal.org/project/key • drupal.org/project/encrypt
• drupal.org/project/field_encrypt • Encrypt KMS ◦ drupal.org/sandbox/nickurbits/2923717

• Sensitive data not exposed in DB leak • Decryption
key not stored in codebase • Rotating AWS API token doesn't break encryption. Advantages

Dynamic Database Credentials with Vault Recipe #3

Setup • Drupal • HashiCorp Vault ◦ vaultproject.io • Consul
Template ◦ github.com/hashicorp/consul-template

Setup - Vault $ vault mount database Successfully mounted 'database'
at 'database'! Mount the database secret backend

$ vault write database/config/mysql \ plugin_name=mysql-database-plugin \ allowed_roles="drupal" \ connection_url=
"root:${MYSQL_ROOT_PASSWORD}@tcp(127.0.0.1:3306)/" Setup - Vault Give Vault root access to database

$ vault write database/roles/drupal \ db_name=mysql \ default_ttl="15s" \ max_ttl="20s"
\ creation_statements=" CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}'; GRANT ALL PRIVILEGES ON *.* TO '{{name}}'@'%';" Setup - Vault Create "drupal" role in Vault

$ vault read database/creds/drupal Key Value --- ----- lease_id database/creds/drupal/9939e3b1-f370-f07d-c960-...
lease_duration 1m0s lease_renewable true password A1a-07p018125t60921y username v-token-drupal-u10y6tt86y1wts01u Setup - Vault Test credentials are being generated } Created on the fly

Setup - Consul Template <?php {{ with secret "database/creds/drupal" }}
$databases['default']['default'] = [ // Dynamic credentials generated by Vault - {{ timestamp }} 'username' => '{{ .Data.username }}', 'password' => '{{ .Data.password }}', ]; {{ end }} drupal-project / consul-template / settings.php.ctmpl

$ TEMPLATE=consul-template/settings.php.ctmpl $ RENDERED=app/sites/default/vault.settings.php $ consul-template -template $TEMPLATE:$RENDERED Setup -
Consul Template Run Consul Template

• Constant rotation of secrets • Credentials probably junk by
time Attacker tries to use them. • Risk posed by "Hoarders" mitigated. Advantages

@nicksanta drupal.org/user/87915 Fin.

Can You Keep a Secret?

Can You Keep a Secret?

More Decks by Nick Santamaria

Other Decks in Technology

Featured

Transcript