Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Can You Keep a Secret?
Search
Nick Santamaria
June 10, 2018
Programming
410
1
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Can You Keep a Secret?
Session on secrets management in Drupal at HackCamp in Bucharest, June 2018.
Nick Santamaria
June 10, 2018
More Decks by Nick Santamaria
See All by Nick Santamaria
Securing Drupal on Kubernetes - Sydney Meetup
nicksantamaria
0
350
HashiCorp Vault for Drupalers
nicksantamaria
0
790
Can You Keep a Secret?
nicksantamaria
0
930
Performance: Not an Afterthough [DrupalSouth 2015]
nicksantamaria
0
420
Other Decks in Programming
See All in Programming
Make SRE Operations Easier with Azure SRE Agent
kkamegawa
0
9k
act1-costs.pdf
sumedhbala
0
130
不変条件と整合性境界—ビジネスが決める設計判断と実現パターン / Invariants and Consistency Boundaries
nrslib
14
5.9k
過去最大のMCPアップデート! 2026-07-28 RC版の謎に迫る
licux
6
420
肥大化するレガシーコードに立ち向かうためのインターフェース分離と依存の逆転 / JJUG CCC 2026 Spring
hirokunimaeta
0
640
A2UI という光を覗いてみる
satohjohn
1
160
軽量Java基盤の設計 DIコンテナに頼らない、長期保守と1秒起動の実現 JJUG CCC 2026 Spring
macha64
0
610
技術記事、 専門家としてのプログラマ、 言語化
mizchi
13
6.6k
その問い、本当に正しいですか?AI時代のエンジニアに必要な哲学と認知科学 / ai-philosophy-cognitive-science
minodriven
14
6.5k
作って学ぶ、 JSX (TSX) ランタイムの基本
syumai
7
1.7k
代数的データ型って何が嬉しいの? #frontend_phpcon_do
kajitack
8
3.8k
The NotImplementedError Problem in Ruby
koic
1
980
Featured
See All Featured
How to Ace a Technical Interview
jacobian
281
24k
Marketing Yourself as an Engineer | Alaka | Gurzu
gurzu
0
250
What Being in a Rock Band Can Teach Us About Real World SEO
427marketing
0
1k
Jess Joyce - The Pitfalls of Following Frameworks
techseoconnect
PRO
1
170
Organizational Design Perspectives: An Ontology of Organizational Design Elements
kimpetersen
PRO
1
760
How Software Deployment tools have changed in the past 20 years
geshan
0
34k
Java REST API Framework Comparison - PWX 2021
mraible
34
9.4k
The Organizational Zoo: Understanding Human Behavior Agility Through Metaphoric Constructive Conversations (based on the works of Arthur Shelley, Ph.D)
kimpetersen
PRO
0
370
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
35
2.5k
From Legacy to Launchpad: Building Startup-Ready Communities
dugsong
0
240
Music & Morning Musume
bryan
47
7.3k
Fireside Chat
paigeccino
42
4k
Transcript
Can You Keep a Secret Drupal HackCamp 2018 - București
Nick Santamaria • Drupal developer since 2006 • SysOps Engineer
at PreviousNext • Based in Melbourne, Australia • @nicksanta • drupal.org/user/87915 • github.com/nicksantamaria
Secret Management Crash Course
Are you in the right place?
What are Secrets?
Passwords • Database • Cache Backend • Search Index •
Document Store
API Keys • Cloud Platform • Payment Processor • Email
Marketing • CI / CD Pipeline
Cryptographic Keys • SSH Key Pairs • TLS Certificates •
AES Encryption Keys
Not Technically Secrets • Financial Credentials • Confidential Data •
Personally Identifiable Information (PII)
Telling Secrets to the Application
Stored in Repo
Stored in Repo
Stored in Database
Placed by Config Management • Puppet • Ansible • CloudFormation
• Terraform Variation Complication Baked into AMI AMI per security boundary Encrypted secrets in code Orchestrating key distribution
Hand Crafted Config
So What's the Problem?
"Secret Sprawl"
Impossible to Audit
Difficulty Rotating Keys
What Happens When You're Compromised?
None
Secret Management The Solution
Secret Management SOLUTION Centralise storage PROBLEM "Secret Sprawl"
Secret Management SOLUTION Authentication layer Standardised policy framework PROBLEM Who
has access?
Secret Management SOLUTION Audit logs PROBLEM Who accessed what and
when did they do it?
SOLUTION Centralised storage Leases Dynamic secrets Secret Management PROBLEM Rotating
secrets is time consuming and error prone
SOLUTION Well-defined "break-glass" procedure Secret Management PROBLEM
Drupal Recipes
Store API Tokens in Lockr Recipe #1
Setup - Services • Lockr - lockr.io • MailChimp -
mailchimp.com
Setup - Code • Drupal 8 • drupal.org/project/mailchimp • drupal.org/project/lockr
• drupal.org/project/key
Demo
Config Export - Before
Config Export - After ←
Config Export - After } Key safely stored in lockr
storage provider
Config Export - After } mailchimp.api_key config now overridden by
key.repository.mailchimp_token
• Attackers can't obtain API keys from ◦ DB leaks
◦ Codebase leaks ◦ Stolen developer machine Advantages
Alternative Storage Providers • drupal.org/project/aws_secrets_manager • drupal.org/project/vault_key_kv
Crypto Keys with Kubernetes Secrets Recipe #2
• Kubernetes Cluster Setup - Services
Setup - Code • Drupal 8 • drupal.org/project/key • drupal.org/project/encrypt
• drupal.org/project/real_aes
Generate AES Key
Add Secret Resource
Add Secret Resource
Add Secret Resource
Mount Secret into App Container
Create Encryption Key Entity
• Not baking secrets into image. • Simplifies key distribution.
• Key encrypted at rest. • Filesystem mount = dev/prod parity. Advantages
• Docker Swarm docs.docker.com/engine/swarm/secrets/ • Elastic Container Service EC2 Parameter
Store • Nomad HashiCorp Vault Other Orchestrators
Dynamic Database Credentials with Vault Recipe #3
Setup • Drupal • HashiCorp Vault ◦ vaultproject.io • Consul
Template ◦ github.com/hashicorp/consul-template
Setup - Vault Mount the database secret backend
Setup - Vault Give Vault root access to database
Setup - Vault Create "drupal" role in Vault
Setup - Vault Test credentials are being generated }Created on
the fly
Setup - Consul Template
Setup - Consul Template Run Consul Template
Demo
• Constant rotation of secrets • Credentials probably junk by
time Attacker tries to use them. • Risk posed by "Hoarders" mitigated. Advantages
• Audit your application for insecurely stored secrets. Fix! •
“Data Security in Drupal 8” at 2pm. • Key in Drupal Core?? What Next?
@nicksanta drupal.org/user/87915 Thank You!