Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Can You Keep a Secret?
Search
Nick Santamaria
June 10, 2018
Programming
1
350
Can You Keep a Secret?
Session on secrets management in Drupal at HackCamp in Bucharest, June 2018.
Nick Santamaria
June 10, 2018
Tweet
Share
More Decks by Nick Santamaria
See All by Nick Santamaria
Securing Drupal on Kubernetes - Sydney Meetup
nicksantamaria
0
260
HashiCorp Vault for Drupalers
nicksantamaria
0
680
Can You Keep a Secret?
nicksantamaria
0
820
Performance: Not an Afterthough [DrupalSouth 2015]
nicksantamaria
0
320
Other Decks in Programming
See All in Programming
旅行プランAIエージェント開発の裏側
ippo012
2
900
ユーザーも開発者も悩ませない TV アプリ開発 ~Compose の内部実装から学ぶフォーカス制御~
taked137
0
160
1から理解するWeb Push
dora1998
7
1.9k
The Past, Present, and Future of Enterprise Java
ivargrimstad
0
350
HTMLの品質ってなんだっけ? “HTMLクライテリア”の設計と実践
unachang113
4
2.8k
Laravel Boost 超入門
fire_arlo
3
210
今だからこそ入門する Server-Sent Events (SSE)
nearme_tech
PRO
2
140
GitHubとGitLabとAWS CodePipelineでCI/CDを組み比べてみた
satoshi256kbyte
4
220
個人軟體時代
ethanhuang13
0
320
Compose Multiplatform × AI で作る、次世代アプリ開発支援ツールの設計と実装
thagikura
0
140
Android 16 × Jetpack Composeで縦書きテキストエディタを作ろう / Vertical Text Editor with Compose on Android 16
cc4966
1
190
Deep Dive into Kotlin Flow
jmatsu
1
320
Featured
See All Featured
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
29
1.9k
The Cult of Friendly URLs
andyhume
79
6.6k
How to Think Like a Performance Engineer
csswizardry
26
1.9k
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
18
1.1k
Rails Girls Zürich Keynote
gr2m
95
14k
Java REST API Framework Comparison - PWX 2021
mraible
33
8.8k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
48
9.7k
jQuery: Nuts, Bolts and Bling
dougneiner
64
7.9k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
50k
Building Flexible Design Systems
yeseniaperezcruz
328
39k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
229
22k
Transcript
Can You Keep a Secret Drupal HackCamp 2018 - București
Nick Santamaria • Drupal developer since 2006 • SysOps Engineer
at PreviousNext • Based in Melbourne, Australia • @nicksanta • drupal.org/user/87915 • github.com/nicksantamaria
Secret Management Crash Course
Are you in the right place?
What are Secrets?
Passwords • Database • Cache Backend • Search Index •
Document Store
API Keys • Cloud Platform • Payment Processor • Email
Marketing • CI / CD Pipeline
Cryptographic Keys • SSH Key Pairs • TLS Certificates •
AES Encryption Keys
Not Technically Secrets • Financial Credentials • Confidential Data •
Personally Identifiable Information (PII)
Telling Secrets to the Application
Stored in Repo
Stored in Repo
Stored in Database
Placed by Config Management • Puppet • Ansible • CloudFormation
• Terraform Variation Complication Baked into AMI AMI per security boundary Encrypted secrets in code Orchestrating key distribution
Hand Crafted Config
So What's the Problem?
"Secret Sprawl"
Impossible to Audit
Difficulty Rotating Keys
What Happens When You're Compromised?
None
Secret Management The Solution
Secret Management SOLUTION Centralise storage PROBLEM "Secret Sprawl"
Secret Management SOLUTION Authentication layer Standardised policy framework PROBLEM Who
has access?
Secret Management SOLUTION Audit logs PROBLEM Who accessed what and
when did they do it?
SOLUTION Centralised storage Leases Dynamic secrets Secret Management PROBLEM Rotating
secrets is time consuming and error prone
SOLUTION Well-defined "break-glass" procedure Secret Management PROBLEM
Drupal Recipes
Store API Tokens in Lockr Recipe #1
Setup - Services • Lockr - lockr.io • MailChimp -
mailchimp.com
Setup - Code • Drupal 8 • drupal.org/project/mailchimp • drupal.org/project/lockr
• drupal.org/project/key
Demo
Config Export - Before
Config Export - After ←
Config Export - After } Key safely stored in lockr
storage provider
Config Export - After } mailchimp.api_key config now overridden by
key.repository.mailchimp_token
• Attackers can't obtain API keys from ◦ DB leaks
◦ Codebase leaks ◦ Stolen developer machine Advantages
Alternative Storage Providers • drupal.org/project/aws_secrets_manager • drupal.org/project/vault_key_kv
Crypto Keys with Kubernetes Secrets Recipe #2
• Kubernetes Cluster Setup - Services
Setup - Code • Drupal 8 • drupal.org/project/key • drupal.org/project/encrypt
• drupal.org/project/real_aes
Generate AES Key
Add Secret Resource
Add Secret Resource
Add Secret Resource
Mount Secret into App Container
Create Encryption Key Entity
• Not baking secrets into image. • Simplifies key distribution.
• Key encrypted at rest. • Filesystem mount = dev/prod parity. Advantages
• Docker Swarm docs.docker.com/engine/swarm/secrets/ • Elastic Container Service EC2 Parameter
Store • Nomad HashiCorp Vault Other Orchestrators
Dynamic Database Credentials with Vault Recipe #3
Setup • Drupal • HashiCorp Vault ◦ vaultproject.io • Consul
Template ◦ github.com/hashicorp/consul-template
Setup - Vault Mount the database secret backend
Setup - Vault Give Vault root access to database
Setup - Vault Create "drupal" role in Vault
Setup - Vault Test credentials are being generated }Created on
the fly
Setup - Consul Template
Setup - Consul Template Run Consul Template
Demo
• Constant rotation of secrets • Credentials probably junk by
time Attacker tries to use them. • Risk posed by "Hoarders" mitigated. Advantages
• Audit your application for insecurely stored secrets. Fix! •
“Data Security in Drupal 8” at 2pm. • Key in Drupal Core?? What Next?
@nicksanta drupal.org/user/87915 Thank You!