Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Can You Keep a Secret?
Search
Nick Santamaria
June 10, 2018
Programming
1
340
Can You Keep a Secret?
Session on secrets management in Drupal at HackCamp in Bucharest, June 2018.
Nick Santamaria
June 10, 2018
Tweet
Share
More Decks by Nick Santamaria
See All by Nick Santamaria
Securing Drupal on Kubernetes - Sydney Meetup
nicksantamaria
0
260
HashiCorp Vault for Drupalers
nicksantamaria
0
670
Can You Keep a Secret?
nicksantamaria
0
810
Performance: Not an Afterthough [DrupalSouth 2015]
nicksantamaria
0
310
Other Decks in Programming
See All in Programming
可変性を制する設計: 構造と振る舞いから考える概念モデリングとその実装
a_suenami
7
1k
iOS開発スターターキットの作り方
akidon0000
0
210
No Install CMS戦略 〜 5年先を見据えたフロントエンド開発を考える / no_install_cms
rdlabo
0
380
階層化自動テストで開発に機動力を
ickx
1
440
코딩 에이전트 체크리스트: Claude Code ver.
nacyot
0
1k
Google I/O Extended Incheon 2025 ~ What's new in Android development tools
pluu
1
200
MCPを使ってイベントソーシングのAIコーディングを効率化する / Streamlining Event Sourcing AI Coding with MCP
tomohisa
0
190
レトロゲームから学ぶ通信技術の歴史
kimkim0106
0
140
What's new in AppKit on macOS 26
1024jp
0
180
Quality Gates in the Age of Agentic Coding
helmedeiros
PRO
1
110
Gemini CLI のはじめ方
ttnyt8701
1
110
CIを整備してメンテナンスを生成AIに任せる
hazumirr
0
310
Featured
See All Featured
How to Ace a Technical Interview
jacobian
278
23k
Into the Great Unknown - MozCon
thekraken
40
1.9k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
251
21k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
44
2.4k
A better future with KSS
kneath
238
17k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
31
1.3k
How GitHub (no longer) Works
holman
314
140k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
34
3.1k
A Tale of Four Properties
chriscoyier
160
23k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.8k
Typedesign – Prime Four
hannesfritz
42
2.7k
How STYLIGHT went responsive
nonsquared
100
5.7k
Transcript
Can You Keep a Secret Drupal HackCamp 2018 - București
Nick Santamaria • Drupal developer since 2006 • SysOps Engineer
at PreviousNext • Based in Melbourne, Australia • @nicksanta • drupal.org/user/87915 • github.com/nicksantamaria
Secret Management Crash Course
Are you in the right place?
What are Secrets?
Passwords • Database • Cache Backend • Search Index •
Document Store
API Keys • Cloud Platform • Payment Processor • Email
Marketing • CI / CD Pipeline
Cryptographic Keys • SSH Key Pairs • TLS Certificates •
AES Encryption Keys
Not Technically Secrets • Financial Credentials • Confidential Data •
Personally Identifiable Information (PII)
Telling Secrets to the Application
Stored in Repo
Stored in Repo
Stored in Database
Placed by Config Management • Puppet • Ansible • CloudFormation
• Terraform Variation Complication Baked into AMI AMI per security boundary Encrypted secrets in code Orchestrating key distribution
Hand Crafted Config
So What's the Problem?
"Secret Sprawl"
Impossible to Audit
Difficulty Rotating Keys
What Happens When You're Compromised?
None
Secret Management The Solution
Secret Management SOLUTION Centralise storage PROBLEM "Secret Sprawl"
Secret Management SOLUTION Authentication layer Standardised policy framework PROBLEM Who
has access?
Secret Management SOLUTION Audit logs PROBLEM Who accessed what and
when did they do it?
SOLUTION Centralised storage Leases Dynamic secrets Secret Management PROBLEM Rotating
secrets is time consuming and error prone
SOLUTION Well-defined "break-glass" procedure Secret Management PROBLEM
Drupal Recipes
Store API Tokens in Lockr Recipe #1
Setup - Services • Lockr - lockr.io • MailChimp -
mailchimp.com
Setup - Code • Drupal 8 • drupal.org/project/mailchimp • drupal.org/project/lockr
• drupal.org/project/key
Demo
Config Export - Before
Config Export - After ←
Config Export - After } Key safely stored in lockr
storage provider
Config Export - After } mailchimp.api_key config now overridden by
key.repository.mailchimp_token
• Attackers can't obtain API keys from ◦ DB leaks
◦ Codebase leaks ◦ Stolen developer machine Advantages
Alternative Storage Providers • drupal.org/project/aws_secrets_manager • drupal.org/project/vault_key_kv
Crypto Keys with Kubernetes Secrets Recipe #2
• Kubernetes Cluster Setup - Services
Setup - Code • Drupal 8 • drupal.org/project/key • drupal.org/project/encrypt
• drupal.org/project/real_aes
Generate AES Key
Add Secret Resource
Add Secret Resource
Add Secret Resource
Mount Secret into App Container
Create Encryption Key Entity
• Not baking secrets into image. • Simplifies key distribution.
• Key encrypted at rest. • Filesystem mount = dev/prod parity. Advantages
• Docker Swarm docs.docker.com/engine/swarm/secrets/ • Elastic Container Service EC2 Parameter
Store • Nomad HashiCorp Vault Other Orchestrators
Dynamic Database Credentials with Vault Recipe #3
Setup • Drupal • HashiCorp Vault ◦ vaultproject.io • Consul
Template ◦ github.com/hashicorp/consul-template
Setup - Vault Mount the database secret backend
Setup - Vault Give Vault root access to database
Setup - Vault Create "drupal" role in Vault
Setup - Vault Test credentials are being generated }Created on
the fly
Setup - Consul Template
Setup - Consul Template Run Consul Template
Demo
• Constant rotation of secrets • Credentials probably junk by
time Attacker tries to use them. • Risk posed by "Hoarders" mitigated. Advantages
• Audit your application for insecurely stored secrets. Fix! •
“Data Security in Drupal 8” at 2pm. • Key in Drupal Core?? What Next?
@nicksanta drupal.org/user/87915 Thank You!