Can You Keep a Secret?

Transcript

1. Can You Keep a Secret Drupal HackCamp 2018 - București

2. Nick Santamaria • Drupal developer since 2006 • SysOps Engineer

   at PreviousNext • Based in Melbourne, Australia • @nicksanta • drupal.org/user/87915 • github.com/nicksantamaria

3. Secret Management Crash Course

4. Are you in the right place?

5. What are Secrets?

6. Passwords • Database • Cache Backend • Search Index •

   Document Store

7. API Keys • Cloud Platform • Payment Processor • Email

   Marketing • CI / CD Pipeline

8. Cryptographic Keys • SSH Key Pairs • TLS Certificates •

   AES Encryption Keys

9. Not Technically Secrets • Financial Credentials • Confidential Data •

   Personally Identifiable Information (PII)

10. Telling Secrets to the Application

11. Stored in Repo

12. Stored in Repo

13. Stored in Database

14. Placed by Config Management • Puppet • Ansible • CloudFormation

    • Terraform Variation Complication Baked into AMI AMI per security boundary Encrypted secrets in code Orchestrating key distribution

15. Hand Crafted Config

16. So What's the Problem?

17. "Secret Sprawl"

18. Impossible to Audit

19. Difficulty Rotating Keys

20. What Happens When You're Compromised?

21. None

22. Secret Management The Solution

23. Secret Management SOLUTION Centralise storage PROBLEM "Secret Sprawl"

24. Secret Management SOLUTION Authentication layer Standardised policy framework PROBLEM Who

    has access?

25. Secret Management SOLUTION Audit logs PROBLEM Who accessed what and

    when did they do it?

26. SOLUTION Centralised storage Leases Dynamic secrets Secret Management PROBLEM Rotating

    secrets is time consuming and error prone

27. SOLUTION Well-defined "break-glass" procedure Secret Management PROBLEM

28. Drupal Recipes

29. Store API Tokens in Lockr Recipe #1

30. Setup - Services • Lockr - lockr.io • MailChimp -

    mailchimp.com

31. Setup - Code • Drupal 8 • drupal.org/project/mailchimp • drupal.org/project/lockr

    • drupal.org/project/key

32. Demo

33. Config Export - Before

34. Config Export - After ←

35. Config Export - After } Key safely stored in lockr

    storage provider

36. Config Export - After } mailchimp.api_key config now overridden by

    key.repository.mailchimp_token

37. • Attackers can't obtain API keys from ◦ DB leaks

    ◦ Codebase leaks ◦ Stolen developer machine Advantages

38. Alternative Storage Providers • drupal.org/project/aws_secrets_manager • drupal.org/project/vault_key_kv

39. Crypto Keys with Kubernetes Secrets Recipe #2

40. • Kubernetes Cluster Setup - Services

41. Setup - Code • Drupal 8 • drupal.org/project/key • drupal.org/project/encrypt

    • drupal.org/project/real_aes

42. Generate AES Key

43. Add Secret Resource

44. Add Secret Resource

45. Add Secret Resource

46. Mount Secret into App Container

47. Create Encryption Key Entity

48. • Not baking secrets into image. • Simplifies key distribution.

    • Key encrypted at rest. • Filesystem mount = dev/prod parity. Advantages

49. • Docker Swarm docs.docker.com/engine/swarm/secrets/ • Elastic Container Service EC2 Parameter

    Store • Nomad HashiCorp Vault Other Orchestrators

50. Dynamic Database Credentials with Vault Recipe #3

51. Setup • Drupal • HashiCorp Vault ◦ vaultproject.io • Consul

    Template ◦ github.com/hashicorp/consul-template

52. Setup - Vault Mount the database secret backend

53. Setup - Vault Give Vault root access to database

54. Setup - Vault Create "drupal" role in Vault

55. Setup - Vault Test credentials are being generated }Created on

    the fly

56. Setup - Consul Template

57. Setup - Consul Template Run Consul Template

58. Demo

59. • Constant rotation of secrets • Credentials probably junk by

    time Attacker tries to use them. • Risk posed by "Hoarders" mitigated. Advantages

60. • Audit your application for insecurely stored secrets. Fix! •

    “Data Security in Drupal 8” at 2pm. • Key in Drupal Core?? What Next?

61. @nicksanta drupal.org/user/87915 Thank You!