Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Can You Keep a Secret?
Search
Nick Santamaria
June 10, 2018
Programming
410
1
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Can You Keep a Secret?
Session on secrets management in Drupal at HackCamp in Bucharest, June 2018.
Nick Santamaria
June 10, 2018
More Decks by Nick Santamaria
See All by Nick Santamaria
Securing Drupal on Kubernetes - Sydney Meetup
nicksantamaria
0
350
HashiCorp Vault for Drupalers
nicksantamaria
0
790
Can You Keep a Secret?
nicksantamaria
0
930
Performance: Not an Afterthough [DrupalSouth 2015]
nicksantamaria
0
420
Other Decks in Programming
See All in Programming
気づいたらRubyで100作品 ー クリエイティブコーディングが生活の一部になるまで / 100 Ruby Sketches Later: How Creative Coding Became Part of My Life
chobishiba
3
610
Oxcを導入して開発体験が向上した話
yug1224
4
350
不変条件と整合性境界—ビジネスが決める設計判断と実現パターン / Invariants and Consistency Boundaries
nrslib
14
5.9k
AIで効率化できた業務・日常
ochtum
0
150
SREは、MCPとSRE Agentをこう使え!
kazumax55
0
130
JavaDoc 再入門
nagise
1
430
AI 輔助遺留系統現代化的經驗分享
jame2408
1
1.1k
Observability in Practice:Grafana 與 Edge Device SRE 的那些事
blueswen
0
180
AI時代のUIはどこへ行く?その2!
yusukebe
22
7.6k
TSKaigi Night Talks 2026_TypeScriptでサプライチェーンの整合性を型に閉じ込める
geekplus_tech
0
420
Agentic UI
manfredsteyer
PRO
0
200
なぜ型を書くのか? TSKaigi2026で改めて考える #tskaigi_smarthr
kajitack
0
170
Featured
See All Featured
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
194
17k
Paper Plane (Part 1)
katiecoart
PRO
0
9.3k
The B2B funnel & how to create a winning content strategy
katarinadahlin
PRO
1
410
XXLCSS - How to scale CSS and keep your sanity
sugarenia
250
1.3M
Mobile First: as difficult as doing things right
swwweet
225
10k
Design of three-dimensional binary manipulators for pick-and-place task avoiding obstacles (IECON2024)
konakalab
0
480
Bridging the Design Gap: How Collaborative Modelling removes blockers to flow between stakeholders and teams @FastFlow conf
baasie
0
590
Being A Developer After 40
akosma
91
590k
Applied NLP in the Age of Generative AI
inesmontani
PRO
4
2.3k
Building the Perfect Custom Keyboard
takai
2
800
HU Berlin: Industrial-Strength Natural Language Processing with spaCy and Prodigy
inesmontani
PRO
0
420
End of SEO as We Know It (SMX Advanced Version)
ipullrank
3
4.2k
Transcript
Can You Keep a Secret Drupal HackCamp 2018 - București
Nick Santamaria • Drupal developer since 2006 • SysOps Engineer
at PreviousNext • Based in Melbourne, Australia • @nicksanta • drupal.org/user/87915 • github.com/nicksantamaria
Secret Management Crash Course
Are you in the right place?
What are Secrets?
Passwords • Database • Cache Backend • Search Index •
Document Store
API Keys • Cloud Platform • Payment Processor • Email
Marketing • CI / CD Pipeline
Cryptographic Keys • SSH Key Pairs • TLS Certificates •
AES Encryption Keys
Not Technically Secrets • Financial Credentials • Confidential Data •
Personally Identifiable Information (PII)
Telling Secrets to the Application
Stored in Repo
Stored in Repo
Stored in Database
Placed by Config Management • Puppet • Ansible • CloudFormation
• Terraform Variation Complication Baked into AMI AMI per security boundary Encrypted secrets in code Orchestrating key distribution
Hand Crafted Config
So What's the Problem?
"Secret Sprawl"
Impossible to Audit
Difficulty Rotating Keys
What Happens When You're Compromised?
None
Secret Management The Solution
Secret Management SOLUTION Centralise storage PROBLEM "Secret Sprawl"
Secret Management SOLUTION Authentication layer Standardised policy framework PROBLEM Who
has access?
Secret Management SOLUTION Audit logs PROBLEM Who accessed what and
when did they do it?
SOLUTION Centralised storage Leases Dynamic secrets Secret Management PROBLEM Rotating
secrets is time consuming and error prone
SOLUTION Well-defined "break-glass" procedure Secret Management PROBLEM
Drupal Recipes
Store API Tokens in Lockr Recipe #1
Setup - Services • Lockr - lockr.io • MailChimp -
mailchimp.com
Setup - Code • Drupal 8 • drupal.org/project/mailchimp • drupal.org/project/lockr
• drupal.org/project/key
Demo
Config Export - Before
Config Export - After ←
Config Export - After } Key safely stored in lockr
storage provider
Config Export - After } mailchimp.api_key config now overridden by
key.repository.mailchimp_token
• Attackers can't obtain API keys from ◦ DB leaks
◦ Codebase leaks ◦ Stolen developer machine Advantages
Alternative Storage Providers • drupal.org/project/aws_secrets_manager • drupal.org/project/vault_key_kv
Crypto Keys with Kubernetes Secrets Recipe #2
• Kubernetes Cluster Setup - Services
Setup - Code • Drupal 8 • drupal.org/project/key • drupal.org/project/encrypt
• drupal.org/project/real_aes
Generate AES Key
Add Secret Resource
Add Secret Resource
Add Secret Resource
Mount Secret into App Container
Create Encryption Key Entity
• Not baking secrets into image. • Simplifies key distribution.
• Key encrypted at rest. • Filesystem mount = dev/prod parity. Advantages
• Docker Swarm docs.docker.com/engine/swarm/secrets/ • Elastic Container Service EC2 Parameter
Store • Nomad HashiCorp Vault Other Orchestrators
Dynamic Database Credentials with Vault Recipe #3
Setup • Drupal • HashiCorp Vault ◦ vaultproject.io • Consul
Template ◦ github.com/hashicorp/consul-template
Setup - Vault Mount the database secret backend
Setup - Vault Give Vault root access to database
Setup - Vault Create "drupal" role in Vault
Setup - Vault Test credentials are being generated }Created on
the fly
Setup - Consul Template
Setup - Consul Template Run Consul Template
Demo
• Constant rotation of secrets • Credentials probably junk by
time Attacker tries to use them. • Risk posed by "Hoarders" mitigated. Advantages
• Audit your application for insecurely stored secrets. Fix! •
“Data Security in Drupal 8” at 2pm. • Key in Drupal Core?? What Next?
@nicksanta drupal.org/user/87915 Thank You!