Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Distributing Secrets Securely to Containers

Distributing Secrets Securely to Containers

A talk on two methods for distributing secrets securely to containers

Avatar for Alan Robertson

Alan Robertson

September 19, 2017
Tweet

More Decks by Alan Robertson

Other Decks in Programming

Transcript

  1. http://AssimilationSystems.com/ 1/14 Distributing Secrets Securely to Distributing Secrets Securely to

    Containers Containers Alan Robertson Charter Communications [email protected] @OSSAlanR Founder: Linux-HA project Assimilation Project
  2. http://AssimilationSystems.com/ 2/14 Agenda Agenda • What’s a secret? • What

    does it mean to protect a secret? • So what’s the problem? • Two solutions: – Custodia – Custom Code
  3. http://AssimilationSystems.com/ 3/14 What’s a Secret? What’s a Secret? • These

    kinds of things are often secrets: – Passwords, Application Tokens, Secret keys, AWS keys, etc. • You’re storing them so machines (and humans) have access to them • It might be something small and internal • It might be something a bit more important • It might be the “Keys To The Kingdom”
  4. http://AssimilationSystems.com/ 4/14 What does protecting a secret What does protecting

    a secret mean? mean? • Don’t store them in plain text on disk • Don’t pass them as command line parameters, or environment variables • Don’t store them in GitHub... • This is harder than it sounds...
  5. http://AssimilationSystems.com/ 5/14 So what’s the problem? So what’s the problem?

    • If you cannot protect your Vault key, then your secrets are at risk • If an attacker compromises your application, they probably have access to your vault key... • If you could protect your Vault key, you could probably protect your secrets • Vault software helps but is not enough • We need to be able to protect our keys!
  6. http://AssimilationSystems.com/ 6/14 What to do? What to do? • Don’t

    store vault keys in your containers • Identify and validate your application without using keys they need to protect • How to do this?
  7. http://AssimilationSystems.com/ 7/14 UNIX sockets to the rescue! UNIX sockets to

    the rescue! • UNIX domain sockets allow authentication of the application that’s connecting – User ID – Group ID – Process ID – Security Context (SE Linux)
  8. http://AssimilationSystems.com/ 8/14 This helps you get even more This helps

    you get even more information from information from • /proc • Docker inspect This gives you analogous to the DNA of the caller – the cyber analog of biometrics Authenticate your caller with just this information
  9. http://AssimilationSystems.com/ 9/14 /proc interesting things /proc interesting things • /proc/<pid>/cmdline

    - client command line • /proc/<pid>/cgroup – identifies the container • /proc/<pid>/exe - full pathname client binary • /proc/<pid>/uid_map (and gid_map) • /proc/<pid>/status – uid/gid info, ppid
  10. http://AssimilationSystems.com/ 10/14 Docker inspect interesting things Docker inspect interesting things

    • Name - the name of the image • Path - full pathname of the container's "init" process • Args - the arguments given to the init process in the container • State.Pid - the process id of the container's "init" process • Config.Hostname - hostname of this container • Config.Image - the image name that client is running in • Image - the SHA256 sum of "Config.Image"
  11. http://AssimilationSystems.com/ 12/14 Could it be simpler? Could it be simpler?

    • Custodia: – Proxies the entire secret management infrastructure – Duplicate configuration with Vault – Larger attack surface (even though it’s good code) • What if you just provided vault keys? – Each client just gets a vault key when authenticated – Clients use key to connect directly to vault
  12. http://AssimilationSystems.com/ 14/14 References References • Custodia article: – peerlyst.com/posts/sharing-secrets-with- containers-using-custodia-alan-robertson

    • Authproxy article: – peerlyst.com/posts/the-authproxy-method-of- sharing-secrets-safely-with-containers-alan- robertson