Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Can You Keep a Secret?

Nick Santamaria
June 10, 2018
Programming
1
310

Can You Keep a Secret?

Session on secrets management in Drupal at HackCamp in Bucharest, June 2018.

Nick Santamaria

June 10, 2018
Tweet

More Decks by Nick Santamaria

See All by Nick Santamaria
Securing Drupal on Kubernetes - Sydney Meetup
nicksantamaria
0
220
HashiCorp Vault for Drupalers
nicksantamaria
0
630
Can You Keep a Secret?
nicksantamaria
0
750
Performance: Not an Afterthough [DrupalSouth 2015]
nicksantamaria
0
260

Other Decks in Programming

See All in Programming
JavaScriptツール群「UnJS」を5分で一気に駆け巡る!
k1tikurisu
9
1.8k
負債になりにくいCSSをデザイナとつくるには?
fsubal
9
2.4k
『GO』アプリ バックエンドサーバのコスト削減
mot_techtalk
0
140
CI改善もDatadogとともに
taumu
0
110
富山発の個人開発サービスで日本中の学校の業務を改善した話
krpk1900
4
380
Amazon ECS とマイクロサービスから考えるシステム構成
hiyanger
2
550
Multi Step Form, Decentralized Autonomous Organization
pumpkiinbell
1
740
データベースのオペレーターであるCloudNativePGがStatefulSetを使わない理由に迫る
nnaka2992
0
140
Pythonでもちょっとリッチな見た目のアプリを設計してみる
ueponx
1
560
ソフトウェアエンジニアの成長
masuda220
PRO
10
1.1k
パスキーのすべて ── 導入・UX設計・実装の紹介 / 20250213 パスキー開発者の集い
kuralab
3
780
Lottieアニメーションをカスタマイズしてみた
tahia910
0
130

Featured

See All Featured
Code Reviewing Like a Champion
maltzj
521
39k
Side Projects
sachag
452
42k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
251
21k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
47
5.2k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.4k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
507
140k
Navigating Team Friction
lara
183
15k
The Invisible Side of Design
smashingmag
299
50k
Measuring & Analyzing Core Web Vitals
bluesmoon
6
240
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
7
630
Large-scale JavaScript Application Architecture
addyosmani
511
110k
Docker and Python
trallard
44
3.3k

Transcript

  1. Can You Keep a Secret Drupal HackCamp 2018 - București

  2. Nick Santamaria • Drupal developer since 2006 • SysOps Engineer

    at PreviousNext • Based in Melbourne, Australia • @nicksanta • drupal.org/user/87915 • github.com/nicksantamaria

  3. Secret Management Crash Course

  4. Are you in the right place?

  5. What are Secrets?

  6. Passwords • Database • Cache Backend • Search Index •

    Document Store

  7. API Keys • Cloud Platform • Payment Processor • Email

    Marketing • CI / CD Pipeline

  8. Cryptographic Keys • SSH Key Pairs • TLS Certificates •

    AES Encryption Keys

  9. Not Technically Secrets • Financial Credentials • Confidential Data •

    Personally Identifiable Information (PII)

  10. Telling Secrets to the Application

  11. Stored in Repo

  12. Stored in Repo

  13. Stored in Database

  14. Placed by Config Management • Puppet • Ansible • CloudFormation

    • Terraform Variation Complication Baked into AMI AMI per security boundary Encrypted secrets in code Orchestrating key distribution

  15. Hand Crafted Config

  16. So What's the Problem?

  17. "Secret Sprawl"

  18. Impossible to Audit

  19. Difficulty Rotating Keys

  20. What Happens When You're Compromised?

  21. None

  22. Secret Management The Solution

  23. Secret Management SOLUTION Centralise storage PROBLEM "Secret Sprawl"

  24. Secret Management SOLUTION Authentication layer Standardised policy framework PROBLEM Who

    has access?

  25. Secret Management SOLUTION Audit logs PROBLEM Who accessed what and

    when did they do it?

  26. SOLUTION Centralised storage Leases Dynamic secrets Secret Management PROBLEM Rotating

    secrets is time consuming and error prone

  27. SOLUTION Well-defined "break-glass" procedure Secret Management PROBLEM

  28. Drupal Recipes

  29. Store API Tokens in Lockr Recipe #1

  30. Setup - Services • Lockr - lockr.io • MailChimp -

    mailchimp.com

  31. Setup - Code • Drupal 8 • drupal.org/project/mailchimp • drupal.org/project/lockr

    • drupal.org/project/key

  32. Demo

  33. Config Export - Before

  34. Config Export - After ←

  35. Config Export - After } Key safely stored in lockr

    storage provider

  36. Config Export - After } mailchimp.api_key config now overridden by

    key.repository.mailchimp_token

  37. • Attackers can't obtain API keys from ◦ DB leaks

    ◦ Codebase leaks ◦ Stolen developer machine Advantages

  38. Alternative Storage Providers • drupal.org/project/aws_secrets_manager • drupal.org/project/vault_key_kv

  39. Crypto Keys with Kubernetes Secrets Recipe #2

  40. • Kubernetes Cluster Setup - Services

  41. Setup - Code • Drupal 8 • drupal.org/project/key • drupal.org/project/encrypt

    • drupal.org/project/real_aes

  42. Generate AES Key

  43. Add Secret Resource

  44. Add Secret Resource

  45. Add Secret Resource

  46. Mount Secret into App Container

  47. Create Encryption Key Entity

  48. • Not baking secrets into image. • Simplifies key distribution.

    • Key encrypted at rest. • Filesystem mount = dev/prod parity. Advantages

  49. • Docker Swarm docs.docker.com/engine/swarm/secrets/ • Elastic Container Service EC2 Parameter

    Store • Nomad HashiCorp Vault Other Orchestrators

  50. Dynamic Database Credentials with Vault Recipe #3

  51. Setup • Drupal • HashiCorp Vault ◦ vaultproject.io • Consul

    Template ◦ github.com/hashicorp/consul-template

  52. Setup - Vault Mount the database secret backend

  53. Setup - Vault Give Vault root access to database

  54. Setup - Vault Create "drupal" role in Vault

  55. Setup - Vault Test credentials are being generated }Created on

    the fly

  56. Setup - Consul Template

  57. Setup - Consul Template Run Consul Template

  58. Demo

  59. • Constant rotation of secrets • Credentials probably junk by

    time Attacker tries to use them. • Risk posed by "Hoarders" mitigated. Advantages

  60. • Audit your application for insecurely stored secrets. Fix! •

    “Data Security in Drupal 8” at 2pm. • Key in Drupal Core?? What Next?

  61. @nicksanta drupal.org/user/87915 Thank You!