HashiCorp Vault for Drupalers

Transcript

1. HashiCorp Vault for Drupalers Drupal HackCamp 2018 - București

2. Nick Santamaria • Drupal developer since 2006 • SysOps Engineer

   at PreviousNext • Based in Melbourne, Australia • HashiCorp Fan @nicksanta github.com/nicksantamaria drupal.org/user/87915

3. The Secret Management Problem

4. What are Secrets? A piece of information that proves an

   identity, or authorization to perform certain functions. • Username & Password • API Token • TLS Certificate

5. What are Secrets? Things in this realm must be carefully

   handled. • Who has access? • When did they access it? • How will they be rotated?

6. In the Wild They are in your settings.php files.

7. In the Wild They are in your config exports.

8. In the Wild They are in your ansible playbooks.

9. Secret Sprawl

10. HashiCorp Vault

11. The Secret Management Problem Vault addresses the challenges of secrets

    management. • Centralised • Fine-grained access control • Audit trail

12. “moving from a world of sprawl to a world of

    centrality; with strong guarantees around encryption, access control, and visibility.” - Armon Dadgar, HashiCorp CTO

13. The Application Problem or: Software sucks at keeping secrets

14. The Application Problem Applications will inevitably expose secrets. • Logs

    • Stack traces • Monitoring tools

15. Dynamic Secrets

16. Dynamic Secrets Issue applications short-lived credentials. • Created dynamically •

    Ephemeral • Require lease renewals

17. A constantly moving target for attackers.

18. Dynamic Secrets Each client receives unique credentials. • Identify the

    specific point of breach. • Revoke credentials for the compromised client.

19. The Encryption Problem or: Cryptography is hard

20. The Encryption Problem Cryptography is simple to get wrong and

    can undermine its integrity. Key lifecycle management is even harder.

21. Encrypt-as-a-Service

22. Encrypt as a Service Create named keys.

23. Encrypt as a Service High-level APIs for cryptographic functions.

24. Encrypt as a Service High-level APIs for cryptographic functions.

25. Encrypt as a Service High-level APIs for key lifecycle management.

26. Secret Management Dynamic Secrets Encrypt-as-a-Service

27. Vault Architecture

28. Vault Architecture - Core Core • Lifecycle management. • Ensures

    requests handled properly.

29. Vault Architecture - Authentication Core Allows clients to authenticate from

    other systems Authentication

30. Vault Architecture - Audit Core • Logs request / response

    trail. • Who has done what. Authentication Audit Logs

31. Vault Architecture - Storage Core • Stores encrypted data at

    rest. • Highly Available. • Durable. Authentication Storage Audit Logs

32. Vault Architecture - Secret Engines Core Provides access to different

    secrets. Authentication Storage Audit Logs Secret Engines

33. Drupal Integration

34. Vault Architecture - Drupal Integration Core Authentication Secret Engines Authentication

    Provider Plugins • Key integration • Encrypt integration Lease Maintenance Vault Client service

35. drupal.org/project/vault

36. Drupal Integration - Current State Authentication Providers • Token -

    drupal.org/project/vault_auth_token

37. Drupal Integration - Current State Secret Engines • Key/Value -

    drupal.org/project/vault_key_kv • AWS - drupal.org/project/vault_key_aws

38. Drupal Integration - Current State Encrypt-as-a-Service • Transit Encryption -

    drupal.org/project/encrypt_vault_transit

39. Drupal Integration - Current State Planned • AppRole Authentication •

    TLS Authentication • TOTP Provider for TFA - drupal.org/project/tfa

40. Drupal Integration - Design Goals ✔ Modular - Each module

    provides a single function. ✔ Auditable - Simple implementation for easy code review. ✔ Simple - Vault module only responsible for: 1. Plugin manager for authentication providers. 2. Expose authenticated client as a service. 3. Maintain leases (via cron).

41. Drupal Integration - not Design Goals ✗ Provide management layer

    for Vault. ✗ Mitigate bad/insecure vault configuration. ✗ Support dynamic database credentials.

42. Demo!

43. None
44. None
45. None

46. drupal.org/node/2972436 Ability to map specific values from multi-value keys to

    config overrides

47. Thank you! @nicksanta github.com/nicksantamaria drupal.org/user/87915 Session Feedback