Introduction to Vault - Speaker Deck

Slide 1

Slide 1 text

VAULT MODERN SECRETS MANAGEMENT

Slide 2

Slide 2 text

SECRET MANAGEMENT

Slide 3

Slide 3 text

WHAT IS A SECRET? Security-sensitive information Personally-identiﬁable information (PII) DB User/Pass, AWS IAM Credentials, SSL Keys, Encryption Keys Anything that would make the news

Slide 4

Slide 4 text

HOW DO I DISTRIBUTE SECRETS? How do applications get secrets? How do operators get secrets? How do secrets get updated? How do secrets get revoked?

Slide 5

Slide 5 text

package main const( mysqlUser = "root" mysqlPass = "s3(Ret ) secure  master cat main.go

Slide 6

Slide 6 text

{ "mysql_user": "root", "mysql_pass": "s3(Ret" } secure  master cat config.son

Slide 7

Slide 7 text

WHY NOT CONFIG MANAGEMENT? Centrally stored Eventually consistent No access control No auditing No revocation

Slide 8

Slide 8 text

WHY NOT (ONLINE) DATABASES? RDBMS, Consul, ZooKeeper, etc Not designed for secrets Limited access controls Plaintext Storage No Auditing, Revocation

Slide 9

Slide 9 text

OPERATOR ACCESS Separate from application access Dropbox, Wiki, sneaker web Zero visibility or control

Slide 10

Slide 10 text

SECRET SPRAWL Secret material is distributed Who has access? When were secrets used? What is the attack surface? What do we do in the event of a compromise?

Slide 11

Slide 11 text

No content

Slide 12

Slide 12 text

“BREAK GLASS” PROCEDURE Access Revocation Key Rolling Audit Trails

Slide 13

Slide 13 text

STATE OF THE WORLD Secret Sprawl Decentralized Keys Limited Visibility Poorly deﬁned “break glass” procedures

Slide 14

Slide 14 text

SECRET MANAGEMENT 2.0

Slide 15

Slide 15 text

VAULT MODERN SECRETS MANAGEMENT

Slide 16

Slide 16 text

VAULT GOALS Single source for Secrets Programmatic Application Access (Automated) Operator Access (Manual) Practical Security Modern Data Center Friendly

Slide 17

Slide 17 text

VAULT FEATURES Secure Secret Storage (in-memory, Consul, ﬁle, and more) Dynamic Secrets Leasing, Renewal, and Revocation Auditing Rich ACLs Multiple Client Authentication Methods

Slide 18

Slide 18 text

SECURE SECRET STORAGE Data is encrypted in transit and at rest 256bit AES in GCM mode TLS 1.2 for clients No HSM required

Slide 19

Slide 19 text

Success! Data written to: secret/foo secure  master vault write secret/foo bar=bacon

Slide 20

Slide 20 text

Key Value lease_id secret/foo/2a798f6f-00da-8d48-659a-ef1c969f23ed lease_duration 2592000 lease_renewable false bar bacon secure  master vault read secret/foo

Slide 21

Slide 21 text

DYNAMIC SECRETS Never provide “root” credentials to clients Provide limited access credentials based on role Generated on demand when requested Leases are enforceable via revocation Audit trail can identify point of compromise

Slide 22

Slide 22 text

Successfully mounted 'postgresql' at 'postgresql'! secure  master vault mount postgresql

Slide 23

Slide 23 text

## DESCRIPTION The PostgreSQL backend dynamically generates database users. After mounting this backend, configure it using the endpoints within the "config/" path. ## PATHS The following paths are supported by this backend. To view help for any of the paths below, use the help command with any route matching the path pattern. Note that depending on the policy of your auth token, secure  master vault help postgresql

Slide 24

Slide 24 text

vault write postgresql/config/connection \ value="user=hashicorp password=hashicorp database=hashicorp" Success! Data written to: postgresql/config/connection secure  master \

Slide 25

Slide 25 text

vault write postgresql/roles/production name=production Success! Data written to: postgresql/roles/production secure  master \

Slide 26

Slide 26 text

Key Value lease_id postgresql/creds/production/2d483e34-2d82-476... lease_duration 3600 lease_renewable true password 80e6ffa5-d6e9-beb1-e630-9af0c41299bb username vault-root-1432058168-8081 secure  master vault read postgresql/creds/production

Slide 27

Slide 27 text

Key Value lease_id postgresql/creds/production/a99b952e-222c-6eb... lease_duration 3600 lease_renewable true username vault-root-1432058254-7887 password 17a21ba7-8726-97e4-2088-80b7a756702b secure  master vault read postgresql/creds/production

Slide 28

Slide 28 text

DYNAMIC SECRETS Pluggable Backends AWS, Consul, PostgreSQL, MySQL, Transit, Generic Grow support over time

Slide 29

Slide 29 text

LEASING, RENEWAL, AND REVOCATION Every Secret has a Lease* Secrets are revoked at the end of the lease unless renewed Secrets may be revoked early by operators “Break Glass” procedure Dynamic Secrets make leases enforceable Not possible for arbitrary secrets Not possible for transit backend

Slide 30

Slide 30 text

AUDITING Pluggable Audit Backends Request and Response Logging Prioritizes Safety over Availability Secrets Hashed in Audits Searchable, but not reversible

Slide 31

Slide 31 text

RICH ACLS Role Based Policies Restrict access to “need to know” Default Deny, must be explicitly allowed

Slide 32

Slide 32 text

FLEXIBLE AUTH Pluggable Backends Tokens, GitHub, AppID, User/Pass, TLS Certs Machine-Oriented vs Operator-Oriented

Slide 33

Slide 33 text

HIGH AVAILABILITY Consul used for leader election Active/Standby Automatic failover

Slide 34

Slide 34 text

UNSEALING THE VAULT Data in Vault encrypted Vault requires encryption key Must be provided online

Slide 35

Slide 35 text

Sealed: true Key Shares: 10 Key Threshold: 7 Unseal Progress: 6 High-Availability Enabled: false secure  master vault status

Slide 36

Slide 36 text

Key (will be hidden): secure  master vault unseal

Slide 37

Slide 37 text

Key (will be hidden): Sealed: false Key Shares: 10 Key Threshold: 7 Unseal Progress: 0 secure  master vault unseal

Slide 38

Slide 38 text

WATCHING THE WATCHMEN Master Key is the “key to the kingdom” All data could be decrypted Protect against insider attack Two-Man Rule

Slide 39

Slide 39 text

SHAMIR SECRET SHARING Protect Encrypt Key with Master Key Split Master Key into N shares T shares to recompute Master Quorum of key holders required to unseal Default N:5, T:3

Slide 40

Slide 40 text

SUMMARY Solves the “Secret Sprawl Problem” Protects against external threats (Cryptosystem) Protects against internal threads (ACLs and Secret Sharing)

Slide 41

Slide 41 text

BUILDING ON VAULT

Slide 42

Slide 42 text

SECURITY FOUNDATION Base of Trust Core Infrastructure Flexible Architecture Foundation for Security Infrastructure

Slide 43

Slide 43 text

PERSONALLY IDENTIFIABLE INFORMATION PII information is everywhere SSN, CC#, OAuth Tokens, etc. Email? Physical address? Security of storage? Scalability of storage? Audibility of access?

Slide 44

Slide 44 text

PII WITH VAULT “transit” backend in Vault Encrypt/Decrypt data in transit Avoid secret management in client applications Builds on Vault foundation

Slide 45

Slide 45 text

TRANSIT BACKEND Web server has no encryption keys Requires two-factor compromise (Vault + Datastore) Decouples storage from encryption and access control

Slide 46

Slide 46 text

FUTURE: CERTIFICATE AUTHORITY Vault acts as Internal CA Vault stores root CA keys Dynamic Secrets - Generates signed TLS keys No more tears

Slide 47

Slide 47 text

FUTURE: MUTUAL TLS FOR SERVICES Dynamic CA allows all services to generate keys All internal service communication can use mutual TLS End-to-End encryption inside the datacenter

Slide 48

Slide 48 text

SECURITY FOUNDATION Early days of Vault “transit” backend shows clever uses of primitives Certiﬁcate Authority extends use cases, reduces moving pieces

Slide 49

Slide 49 text

VAULT IN PRACTICE

Slide 50

Slide 50 text

USING VAULT API Driven JSON/HTTPS Rich CLI for humans and scripts Rich Client libraries

Slide 51

Slide 51 text

APPLICATION INTEGRATION Vault-aware Native Client libraries Secrets only in-memory Safest but high-touch

Slide 52

Slide 52 text

CONSUL TEMPLATE INTEGRATION Secrets templatized into application conﬁguration Vault is transparent Lease management is automatic Non-secret conﬁguration still via Consul

Slide 53

Slide 53 text

{{ with $secret := vault "postgresql/creds/production" }} --- production: adapter: postgresql database: postgres.service.consul username: {{$secret.Data.username}} password: {{$secret.Data.password}} pool: {{key "production/postgres/pool"}} {{ end }} secure  master cat secrets.yml.ctmpl

Slide 54

Slide 54 text

APPLICATION INTEGRATION Future: envconsul Vault oblivious, read environment variables Future: KeyWhiz-style FUSE FS Vault oblivious, Read “ﬁles”, in-memory only

Slide 55

Slide 55 text

QUICK RECAP

Slide 56

Slide 56 text

VAULT Secrets Management Modernized Fixes the Secret Sprawl Problem Easy to Integrate Small and lightweight (15MB) Provides Security Foundation

Slide 57

Slide 57 text

VAULT ROADMAP Planned external code audit by security research ﬁrm Integrate across HashiCorp tools Tame the Modern Datacenter

Slide 58

Slide 58 text

THANK YOU! QUESTIONS? ! hashicorp/vault " https://vaultproject.io # security@hashicorp.com