Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Can You Keep a Secret?
Search
Nick Santamaria
June 10, 2018
Programming
1
340
Can You Keep a Secret?
Session on secrets management in Drupal at HackCamp in Bucharest, June 2018.
Nick Santamaria
June 10, 2018
Tweet
Share
More Decks by Nick Santamaria
See All by Nick Santamaria
Securing Drupal on Kubernetes - Sydney Meetup
nicksantamaria
0
250
HashiCorp Vault for Drupalers
nicksantamaria
0
660
Can You Keep a Secret?
nicksantamaria
0
800
Performance: Not an Afterthough [DrupalSouth 2015]
nicksantamaria
0
290
Other Decks in Programming
See All in Programming
5つのアンチパターンから学ぶLT設計
narihara
1
110
PHP 8.4の新機能「プロパティフック」から学ぶオブジェクト指向設計とリスコフの置換原則
kentaroutakeda
2
470
童醫院敏捷轉型的實踐經驗
cclai999
0
180
Gleamという選択肢
comamoca
6
760
#kanrk08 / 公開版 PicoRubyとマイコンでの自作トレーニング計測装置を用いたワークアウトの理想と現実
bash0c7
1
300
プロダクト志向ってなんなんだろうね
righttouch
PRO
0
150
WindowInsetsだってテストしたい
ryunen344
1
190
Blazing Fast UI Development with Compose Hot Reload (droidcon New York 2025)
zsmb
1
190
Beyond Portability: Live Migration for Evolving WebAssembly Workloads
chikuwait
0
390
deno-redisの紹介とJSRパッケージの運用について (toranoana.deno #21)
uki00a
0
140
[初登壇@jAZUG]アプリ開発者が気になるGoogleCloud/Azure+wasm/wasi
asaringo
0
130
Bytecode Manipulation 으로 생산성 높이기
bigstark
2
370
Featured
See All Featured
Build your cross-platform service in a week with App Engine
jlugia
231
18k
The Cost Of JavaScript in 2023
addyosmani
51
8.4k
VelocityConf: Rendering Performance Case Studies
addyosmani
330
24k
Git: the NoSQL Database
bkeepers
PRO
430
65k
Imperfection Machines: The Place of Print at Facebook
scottboms
267
13k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
161
15k
Why You Should Never Use an ORM
jnunemaker
PRO
56
9.4k
Building a Scalable Design System with Sketch
lauravandoore
462
33k
Practical Orchestrator
shlominoach
188
11k
We Have a Design System, Now What?
morganepeng
53
7.7k
Building Flexible Design Systems
yeseniaperezcruz
328
39k
YesSQL, Process and Tooling at Scale
rocio
173
14k
Transcript
Can You Keep a Secret Drupal HackCamp 2018 - București
Nick Santamaria • Drupal developer since 2006 • SysOps Engineer
at PreviousNext • Based in Melbourne, Australia • @nicksanta • drupal.org/user/87915 • github.com/nicksantamaria
Secret Management Crash Course
Are you in the right place?
What are Secrets?
Passwords • Database • Cache Backend • Search Index •
Document Store
API Keys • Cloud Platform • Payment Processor • Email
Marketing • CI / CD Pipeline
Cryptographic Keys • SSH Key Pairs • TLS Certificates •
AES Encryption Keys
Not Technically Secrets • Financial Credentials • Confidential Data •
Personally Identifiable Information (PII)
Telling Secrets to the Application
Stored in Repo
Stored in Repo
Stored in Database
Placed by Config Management • Puppet • Ansible • CloudFormation
• Terraform Variation Complication Baked into AMI AMI per security boundary Encrypted secrets in code Orchestrating key distribution
Hand Crafted Config
So What's the Problem?
"Secret Sprawl"
Impossible to Audit
Difficulty Rotating Keys
What Happens When You're Compromised?
None
Secret Management The Solution
Secret Management SOLUTION Centralise storage PROBLEM "Secret Sprawl"
Secret Management SOLUTION Authentication layer Standardised policy framework PROBLEM Who
has access?
Secret Management SOLUTION Audit logs PROBLEM Who accessed what and
when did they do it?
SOLUTION Centralised storage Leases Dynamic secrets Secret Management PROBLEM Rotating
secrets is time consuming and error prone
SOLUTION Well-defined "break-glass" procedure Secret Management PROBLEM
Drupal Recipes
Store API Tokens in Lockr Recipe #1
Setup - Services • Lockr - lockr.io • MailChimp -
mailchimp.com
Setup - Code • Drupal 8 • drupal.org/project/mailchimp • drupal.org/project/lockr
• drupal.org/project/key
Demo
Config Export - Before
Config Export - After ←
Config Export - After } Key safely stored in lockr
storage provider
Config Export - After } mailchimp.api_key config now overridden by
key.repository.mailchimp_token
• Attackers can't obtain API keys from ◦ DB leaks
◦ Codebase leaks ◦ Stolen developer machine Advantages
Alternative Storage Providers • drupal.org/project/aws_secrets_manager • drupal.org/project/vault_key_kv
Crypto Keys with Kubernetes Secrets Recipe #2
• Kubernetes Cluster Setup - Services
Setup - Code • Drupal 8 • drupal.org/project/key • drupal.org/project/encrypt
• drupal.org/project/real_aes
Generate AES Key
Add Secret Resource
Add Secret Resource
Add Secret Resource
Mount Secret into App Container
Create Encryption Key Entity
• Not baking secrets into image. • Simplifies key distribution.
• Key encrypted at rest. • Filesystem mount = dev/prod parity. Advantages
• Docker Swarm docs.docker.com/engine/swarm/secrets/ • Elastic Container Service EC2 Parameter
Store • Nomad HashiCorp Vault Other Orchestrators
Dynamic Database Credentials with Vault Recipe #3
Setup • Drupal • HashiCorp Vault ◦ vaultproject.io • Consul
Template ◦ github.com/hashicorp/consul-template
Setup - Vault Mount the database secret backend
Setup - Vault Give Vault root access to database
Setup - Vault Create "drupal" role in Vault
Setup - Vault Test credentials are being generated }Created on
the fly
Setup - Consul Template
Setup - Consul Template Run Consul Template
Demo
• Constant rotation of secrets • Credentials probably junk by
time Attacker tries to use them. • Risk posed by "Hoarders" mitigated. Advantages
• Audit your application for insecurely stored secrets. Fix! •
“Data Security in Drupal 8” at 2pm. • Key in Drupal Core?? What Next?
@nicksanta drupal.org/user/87915 Thank You!