Can You Keep a Secret? - Speaker Deck

Can You Keep a Secret?

by Nick Santamaria

Slide 1

Slide 1 text

Can You Keep a Secret Drupal HackCamp 2018 - București

Slide 2

Slide 2 text

Nick Santamaria ● Drupal developer since 2006 ● SysOps Engineer at PreviousNext ● Based in Melbourne, Australia ● @nicksanta ● drupal.org/user/87915 ● github.com/nicksantamaria

Slide 3

Slide 3 text

Secret Management Crash Course

Slide 4

Slide 4 text

Are you in the right place?

Slide 5

Slide 5 text

What are Secrets?

Slide 6

Slide 6 text

Passwords ● Database ● Cache Backend ● Search Index ● Document Store

Slide 7

Slide 7 text

API Keys ● Cloud Platform ● Payment Processor ● Email Marketing ● CI / CD Pipeline

Slide 8

Slide 8 text

Cryptographic Keys ● SSH Key Pairs ● TLS Certificates ● AES Encryption Keys

Slide 9

Slide 9 text

Not Technically Secrets ● Financial Credentials ● Confidential Data ● Personally Identifiable Information (PII)

Slide 10

Slide 10 text

Telling Secrets to the Application

Slide 11

Slide 11 text

Stored in Repo

Slide 12

Slide 12 text

Stored in Repo

Slide 13

Slide 13 text

Stored in Database

Slide 14

Slide 14 text

Placed by Config Management ● Puppet ● Ansible ● CloudFormation ● Terraform Variation Complication Baked into AMI AMI per security boundary Encrypted secrets in code Orchestrating key distribution

Slide 15

Slide 15 text

Hand Crafted Config

Slide 16

Slide 16 text

So What's the Problem?

Slide 17

Slide 17 text

"Secret Sprawl"

Slide 18

Slide 18 text

Impossible to Audit

Slide 19

Slide 19 text

Difficulty Rotating Keys

Slide 20

Slide 20 text

What Happens When You're Compromised?

Slide 21

Slide 21 text

No content

Slide 22

Slide 22 text

Secret Management The Solution

Slide 23

Slide 23 text

Secret Management SOLUTION Centralise storage PROBLEM "Secret Sprawl"

Slide 24

Slide 24 text

Secret Management SOLUTION Authentication layer Standardised policy framework PROBLEM Who has access?

Slide 25

Slide 25 text

Secret Management SOLUTION Audit logs PROBLEM Who accessed what and when did they do it?

Slide 26

Slide 26 text

SOLUTION Centralised storage Leases Dynamic secrets Secret Management PROBLEM Rotating secrets is time consuming and error prone

Slide 27

Slide 27 text

SOLUTION Well-defined "break-glass" procedure Secret Management PROBLEM

Slide 28

Slide 28 text

Drupal Recipes

Slide 29

Slide 29 text

Store API Tokens in Lockr Recipe #1

Slide 30

Slide 30 text

Setup - Services ● Lockr - lockr.io ● MailChimp - mailchimp.com

Slide 31

Slide 31 text

Setup - Code ● Drupal 8 ● drupal.org/project/mailchimp ● drupal.org/project/lockr ● drupal.org/project/key

Slide 32

Slide 32 text

Demo

Slide 33

Slide 33 text

Config Export - Before

Slide 34

Slide 34 text

Config Export - After ←

Slide 35

Slide 35 text

Config Export - After } Key safely stored in lockr storage provider

Slide 36

Slide 36 text

Config Export - After } mailchimp.api_key config now overridden by key.repository.mailchimp_token

Slide 37

Slide 37 text

● Attackers can't obtain API keys from ○ DB leaks ○ Codebase leaks ○ Stolen developer machine Advantages

Slide 38

Slide 38 text

Alternative Storage Providers ● drupal.org/project/aws_secrets_manager ● drupal.org/project/vault_key_kv

Slide 39

Slide 39 text

Crypto Keys with Kubernetes Secrets Recipe #2

Slide 40

Slide 40 text

● Kubernetes Cluster Setup - Services

Slide 41

Slide 41 text

Setup - Code ● Drupal 8 ● drupal.org/project/key ● drupal.org/project/encrypt ● drupal.org/project/real_aes

Slide 42

Slide 42 text

Generate AES Key

Slide 43

Slide 43 text

Add Secret Resource

Slide 44

Slide 44 text

Add Secret Resource

Slide 45

Slide 45 text

Add Secret Resource

Slide 46

Slide 46 text

Mount Secret into App Container

Slide 47

Slide 47 text

Create Encryption Key Entity

Slide 48

Slide 48 text

● Not baking secrets into image. ● Simplifies key distribution. ● Key encrypted at rest. ● Filesystem mount = dev/prod parity. Advantages

Slide 49

Slide 49 text

● Docker Swarm docs.docker.com/engine/swarm/secrets/ ● Elastic Container Service EC2 Parameter Store ● Nomad HashiCorp Vault Other Orchestrators

Slide 50

Slide 50 text

Dynamic Database Credentials with Vault Recipe #3

Slide 51

Slide 51 text

Setup ● Drupal ● HashiCorp Vault ○ vaultproject.io ● Consul Template ○ github.com/hashicorp/consul-template

Slide 52

Slide 52 text

Setup - Vault Mount the database secret backend

Slide 53

Slide 53 text

Setup - Vault Give Vault root access to database

Slide 54

Slide 54 text

Setup - Vault Create "drupal" role in Vault

Slide 55

Slide 55 text

Setup - Vault Test credentials are being generated }Created on the fly

Slide 56

Slide 56 text

Setup - Consul Template

Slide 57

Slide 57 text

Setup - Consul Template Run Consul Template

Slide 58

Slide 58 text

Demo

Slide 59

Slide 59 text

● Constant rotation of secrets ● Credentials probably junk by time Attacker tries to use them. ● Risk posed by "Hoarders" mitigated. Advantages

Slide 60

Slide 60 text

● Audit your application for insecurely stored secrets. Fix! ● “Data Security in Drupal 8” at 2pm. ● Key in Drupal Core?? What Next?

Slide 61

Slide 61 text

@nicksanta drupal.org/user/87915 Thank You!