HashiCorp Vault for Drupalers

by Nick Santamaria

Slide 1

Slide 1 text

HashiCorp Vault for Drupalers Drupal HackCamp 2018 - București

Slide 2

Slide 2 text

Nick Santamaria ● Drupal developer since 2006 ● SysOps Engineer at PreviousNext ● Based in Melbourne, Australia ● HashiCorp Fan @nicksanta github.com/nicksantamaria drupal.org/user/87915

Slide 3

Slide 3 text

The Secret Management Problem

Slide 4

Slide 4 text

What are Secrets? A piece of information that proves an identity, or authorization to perform certain functions. ● Username & Password ● API Token ● TLS Certificate

Slide 5

Slide 5 text

What are Secrets? Things in this realm must be carefully handled. ● Who has access? ● When did they access it? ● How will they be rotated?

Slide 6

Slide 6 text

In the Wild They are in your settings.php files.

Slide 7

Slide 7 text

In the Wild They are in your config exports.

Slide 8

Slide 8 text

In the Wild They are in your ansible playbooks.

Slide 9

Slide 9 text

Secret Sprawl

Slide 10

Slide 10 text

HashiCorp Vault

Slide 11

Slide 11 text

The Secret Management Problem Vault addresses the challenges of secrets management. ● Centralised ● Fine-grained access control ● Audit trail

Slide 12

Slide 12 text

“moving from a world of sprawl to a world of centrality; with strong guarantees around encryption, access control, and visibility.” - Armon Dadgar, HashiCorp CTO

Slide 13

Slide 13 text

The Application Problem or: Software sucks at keeping secrets

Slide 14

Slide 14 text

The Application Problem Applications will inevitably expose secrets. ● Logs ● Stack traces ● Monitoring tools

Slide 15

Slide 15 text

Dynamic Secrets

Slide 16

Slide 16 text

Dynamic Secrets Issue applications short-lived credentials. ● Created dynamically ● Ephemeral ● Require lease renewals

Slide 17

Slide 17 text

A constantly moving target for attackers.

Slide 18

Slide 18 text

Dynamic Secrets Each client receives unique credentials. ● Identify the specific point of breach. ● Revoke credentials for the compromised client.

Slide 19

Slide 19 text

The Encryption Problem or: Cryptography is hard

Slide 20

Slide 20 text

The Encryption Problem Cryptography is simple to get wrong and can undermine its integrity. Key lifecycle management is even harder.

Slide 21

Slide 21 text

Encrypt-as-a-Service

Slide 22

Slide 22 text

Encrypt as a Service Create named keys.

Slide 23

Slide 23 text

Encrypt as a Service High-level APIs for cryptographic functions.

Slide 24

Slide 24 text

Encrypt as a Service High-level APIs for cryptographic functions.

Slide 25

Slide 25 text

Encrypt as a Service High-level APIs for key lifecycle management.

Slide 26

Slide 26 text

Secret Management Dynamic Secrets Encrypt-as-a-Service

Slide 27

Slide 27 text

Vault Architecture

Slide 28

Slide 28 text

Vault Architecture - Core Core ● Lifecycle management. ● Ensures requests handled properly.

Slide 29

Slide 29 text

Vault Architecture - Authentication Core Allows clients to authenticate from other systems Authentication

Slide 30

Slide 30 text

Vault Architecture - Audit Core ● Logs request / response trail. ● Who has done what. Authentication Audit Logs

Slide 31

Slide 31 text

Vault Architecture - Storage Core ● Stores encrypted data at rest. ● Highly Available. ● Durable. Authentication Storage Audit Logs

Slide 32

Slide 32 text

Vault Architecture - Secret Engines Core Provides access to different secrets. Authentication Storage Audit Logs Secret Engines

Slide 33

Slide 33 text

Drupal Integration

Slide 34

Slide 34 text

Vault Architecture - Drupal Integration Core Authentication Secret Engines Authentication Provider Plugins ● Key integration ● Encrypt integration Lease Maintenance Vault Client service

Slide 35

Slide 35 text

drupal.org/project/vault

Slide 36

Slide 36 text

Drupal Integration - Current State Authentication Providers ● Token - drupal.org/project/vault_auth_token

Slide 37

Slide 37 text

Drupal Integration - Current State Secret Engines ● Key/Value - drupal.org/project/vault_key_kv ● AWS - drupal.org/project/vault_key_aws

Slide 38

Slide 38 text

Drupal Integration - Current State Encrypt-as-a-Service ● Transit Encryption - drupal.org/project/encrypt_vault_transit

Slide 39

Slide 39 text

Drupal Integration - Current State Planned ● AppRole Authentication ● TLS Authentication ● TOTP Provider for TFA - drupal.org/project/tfa

Slide 40

Slide 40 text

Drupal Integration - Design Goals ✔ Modular - Each module provides a single function. ✔ Auditable - Simple implementation for easy code review. ✔ Simple - Vault module only responsible for: 1. Plugin manager for authentication providers. 2. Expose authenticated client as a service. 3. Maintain leases (via cron).

Slide 41

Slide 41 text

Drupal Integration - not Design Goals ✗ Provide management layer for Vault. ✗ Mitigate bad/insecure vault configuration. ✗ Support dynamic database credentials.

Slide 42

Slide 42 text

Demo!

Slide 43

Slide 43 text

No content

Slide 44

Slide 44 text

No content

Slide 45

Slide 45 text

No content

Slide 46

Slide 46 text

drupal.org/node/2972436 Ability to map specific values from multi-value keys to config overrides

Slide 47

Slide 47 text

Thank you! @nicksanta github.com/nicksantamaria drupal.org/user/87915 Session Feedback