Introducing Vault

Transcript

1. Confidential Customized for Lorem Ipsum LLC Version 1.0 Introducing Vault

   Ramit Surana

2. Confidential Customized for Lorem Ipsum LLC Version 1.0 TOC Overview

   What is Vault ? Vault Architecture Features Shamir’s Algorithm Read/Write Token Read/Write Multiple Values Audit Database Read Format Vault UI Commands Installation SSH Policies Telemetry Transit Vault Plugins GitHub Authentication AWS Authentication Policies Storage Backend Community Use Cases

3. Overview • Vault is a simple tool to secure your

   credentials and authentication of your organization. • It encrypts & provides access to any secrets. • Every secret is associated with a lease. Clients have to renew there secret within the lease period. • A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, and more.

4. Features 1 Secure Secret Storage: Arbitrary key/value secrets can be

   stored in Vault. Vault encrypts these secrets prior to writing them to persistent storage, so gaining access to the raw storage isn't enough to access your secrets. Vault can write to disk, Consul, and more. 2 Dynamic Secrets: Vault can generate secrets on-demand for some systems, such as AWS or SQL databases. For example, when an application needs to access an S3 bucket, it asks Vault for credentials, and Vault will generate an AWS keypair with valid permissions on demand. After creating these dynamic secrets, Vault will also automatically revoke them after the lease is up. 3 Leasing and Renewal: All secrets in Vault have a lease associated with it. At the end of the lease, Vault will automatically revoke that secret. Clients are able to renew leases via built-in renew APIs. 4 Revocation: Vault has built-in support for secret revocation. Vault can revoke not only single secrets, but a tree of secrets, for example all secrets read by a specific user, or all secrets of a particular type. Revocation assists in key rolling as well as locking down systems in the case of an intrusion.

5. Commands • Init - Initialize a new Vault server •

   List - List data or secrets in Vault • Token-create - Create a new auth token • Mounts - Lists mounted backends in Vault • Policies - List the policies on the server • Audit - Lists enabled audit backends in Vault • Ssh - Initiate an SSH session • Rotate - Rotates the backend encryption key used to persist data • Unseal/Seal - Unseal/Seal Vault

6. Vault Use Case Overview Vault 3 rd Party Tools SSH

   Transit (Encrypt/Decrypt) Database Audit Vault

7. How does Vault Work ?

8. High level Architecture Overview

9. Installation 01 Download the binary from https://www.vaultproject.io/downloads.html $ chmod +x

   vault $ mv vault /usr/local/bin/ $ export VAULT_ADDR='http://127.0.0.1:8200'

10. Shamir's Algorithm 02 • Basically a form of secret sharing,

    where a secret is divided into parts, giving each participant its own unique part, where some of the parts or all of them are needed in order to reconstruct the secret. • Threshold is the number of shares you need at least in order to recover your secret. You can restore your secret only when you have more than or equal to the number of threshold. • For Vault, we split the master key into 5 shares, any 3 of which are required to reconstruct the master key. • For more Info: http://kimh.github.io/blog/en/security/protect-your-sec ret-key-with-shamirs-secret-sharing/

11. Read/Write Token 03 • Store Ramit’s (User) password under the

    secret/ path prefix: $ vault write secret/ramit value=SuperSecretPassword • Store Ramit (User) password and token: $ vault write secret/ramit value=SuperSecretPassword token=ABCDE12345 • Read Secret for a particular user: $ vault read secret/ramit • Read in a particular Format: $ vault read --format=json secret/ramit (Other format include table, yaml )

12. Read/Write Multiple Token & Password 04 • Store multiple values

    for any user : $ vault write secret/password @data.json • Read Secret of a user: $ vault read secret/ramit { "key": "ramit5", "value": "itsasecret1"}

13. Vault Audit Mechanism 05 • Enable vault audit backend :

    $ vault audit-enable file file_path=/var/log/vault_audit.log • Check the log file using: $ sudo cat /var/log/vault_audit.log • Any number of file audit logs can be created by enabling it with different paths. $ vault audit-enable -path="vault_audit_1" file file_path=/home/user/vault_audit.log • Can also enable syslog, socket: $ vault audit-enable syslog $ vault audit-enable socket $ vault audit-enable socket address="127.0.0.1:9090" socket_type="tcp"

14. Vault SSH OTP Usage 06 • Mount ssh at vault

    $ vault mount ssh • Writing SSH Role with User and CIDR $ vault write ssh/roles/otp_key_role \ key_type=otp \ default_user=ramit \ cidr_list=192.168.x.x/y • Configure sshd daemon in pam: $ vim /etc/pam.d/sshd

15. Vault SSH OTP Usage • Edit/Add the following lines in

    the sshd file: @include common-auth auth requisite pam_exec.so quiet expose_authtok log=/tmp/vault-ssh.log /opt/vault-ssh-helper -config=/opt/config.hcl -dev auth optional pam_unix.so not_set_pass use_first_pass nodelay • Edit the /etc/ssh/sshd_config PasswordAuthentication no ChallengeResponseAuthentication yes UsePAM yes • Restart ssh: $ sudo service sshd restart • List all users in secret: $ vault write ssh/creds/otp_key_role ip=192.168.x.x • Try using ssh with otp from the above output: $ ssh [email protected]

16. Vault Database 07 • Mount MySQL Database $ vault mount

    database • Vault Configure MySQL Connection: $ vault write database/config/mysql plugin_name=mysql-database-plugin connection_url="root:<YOUR-DB_PASSWORD>@tcp(127.0.0.1:3306)/" allowed_roles="readonly" • Add a role: $ vault write database/roles/readonly db_name=mysql creation_statements ="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}'; GRANT SELECT ON *.* TO '{{name}}'@'%';" default_ttl="1h" max_ttl="24h" • Read the credentials: $ vault read mysql1/creds/readonly • mysql-database-plugin • mysql-aurora-database-plugin • mysql-rds-database-plugin • Mysql-legacy-database-plugin • postgresql-database-plugin • Mssql-database-plugin • cassandra-database-plugin • vault-plugin-database-oracle • hana-database-plugin • mongodb-database-plugin

17. Vault Database • From the output of above command use

    $ sudo mysql -u v-root-readonly-wp7sx5737ry347x1 -pA1a-7q7yxq902pwtyu89

18. Vault General Token Operations • Generate Token : $ vault

    read --format=json secret/ramit • Vault authentication : $ vault auth 8c40f7b4-1380-8a33-8d3b-5efd2dddfe51 • Vault Revoke Token: $ vault token-revoke fe118e23-6957-fb4e-ab36-8655244851e5

19. Vault UI • Built using external projects by community. •

    Can be run via Docker • $ sudo docker run -d -p 8000:8000 --name vault-ui djenriquez/vault-ui

20. Vault Policies • List all Policies on Vault: $ vault

    policies • Implementing (acl.hcl) on vault with name (secret): $ vault policy-write secret acl.hcl • Validate if the policy is implemented: $ vault policies • Delete Policy in Vault: $ vault policy-delete secret • Create a new token using a particular policy: $ vault token-create -policy="secret" path "sys" { policy = "deny" } path "secret" { policy = "write" } path "secret/foo" { policy = "read" }

21. Vault Telemetry • Vault agent collects various runtime metrics about

    the performance of different libraries and subsystems. • These metrics are aggregated on a 10 second interval and are retained for 1 minute. • You'll note that log entries are prefixed with the metric type as follows: [C] is a counter [G] is a gauge [S] is a summary • For more info: https://www.vaultproject.io/docs/internals/telemetry.html

22. Vault Transit Encryption • It handles cryptographic functions on data

    in-transit. • It encrypts data from applications while still storing that encrypted data in some primary data store. • It can also sign and verify data; generate hashes and HMACs of data; and act as a source of random bytes. • It allows the same key to be used for multiple purposes by deriving a new key based on a user-supplied context value. • Mount transit on vault $ vault mount transit • create a named encryption key: $ vault write -f transit/keys/foo • Validate the key foo $ vault read transit/keys/foo

23. Vault Transit Decryption • Encrypt the Plain text (the quick

    brown fox) echo -n "the quick brown fox" | base64 | vault write transit/encrypt/foo plaintext=- • Decrypt $ vault write transit/decrypt/foo ciphertext=vault:v1:czEwyKqGZY/limnuzDCUUe5AK0tbBObWqeZgFqxCuIqq7A84SeiOq3sKD0Y/KUvv $ echo "dGhlIHF1aWNrIGJyb3duIGZveAo=" | base64 -d

24. Vault Token • Generate Token : $ vault token-create •

    Vault authentication : $ vault auth 8c40f7b4-1380-8a33-8d3b-5efd2dddfe51 • Vault Revoke Token: $ vault token-revoke fe118e23-6957-fb4e-ab36-8655244851e5

25. Vault Plugins Vault supports a number of different plugins such

    as: • AppRole • AWS • Google Cloud • Kubernetes • GitHub • LDAP • MFA • Okta • RADIUS • TLS Certificates • Tokens • Username & Password

26. Github Authentication • Vault Auth Github: $ vault auth-enable github

    • Vault Write GitHub Creds: $ vault write auth/github/config • With Root $ vault write auth/github/map/teams/default value=root • Revoke all Github tokens $ vault token-revoke -mode=path auth/github • Disable Github from Vault $ vault auth-disable github

27. AWS Dynamic Authentication • Mount AWS on Vault: $ vault

    mount aws • Vault Write AWS Creds: $ vault write aws/config/root access_key=ABCDE1234 secret_key=1234ABCDE • Using IAM Policy in JSON Format with policy.json : $ vault write aws/roles/deploy [email protected] • Read & Verify the AWS tokens in Vault: $ vault read aws/creds/deploy • Using lease_id parameter from above in the above command: $ vault revoke <aws/creds/deploy/185e6910-6d36-e9a6-33b3-fc8dcfd4e97c> → lease_id { "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1426528957000", "Effect": "Allow", "Action": [ "ec2:*" ], "Resource": [ "*" ] } ] }

28. Vault Storage Backend • Store multiple values for any user

    : $ vim vault-config.hcl listener "tcp" { address = "0.0.0.0:8200" tls_cert_file="/home/ec2-user/.ssl/server.crt" tls_key_file="/home/ec2-user/.ssl/server.key" } backend "s3" { bucket = "foldername" access_key = "xxxxxxxxxxxx" secret_key= "xxxxxxxxxxxxxxxxxxxxxxx" } disable_mlock=true • Read in a particular Format: $ vault read --format=json secret/ramit (Other format include table, yaml ) • S3 • Dynamodb • Azure • CouchDB • CockroachDB • Etcd • Google Cloud • Swift • Zookeeper • MySQL • FileSystem • PostgreSQL

29. Supervisor • Store multiple values for any user : $

    sudo apt-get install supervisor -y • Config File: $ vim /etc/supervisor/supervisord.conf • List all users in secret: $ [unix_http_server]` - change `;chmod=0700` to `chmod=0766` - add the following: `[program:vault]` - add `command=vault server -config=/home/ec2-user/vault-config.hcl` - add `user=ec2-user` - add `environment=AWS_ACCESS_KEY_ID="<your_access_key_id",AWS_SECRET_ACCESS_KEY="<your_secret_access_key>"` • Read in a particular Format: $ sudo touch /etc/init.d/supervisord

30. Supervisor • Add Supervisord with chkconfig : $ sudo chkconfig

    --add supervisord • Start Service with supervisord sudo service supervisord start supervisorctl • For more info on supervisor: https://serversforhackers.com/c/monitoring-processes-with-supervisord

31. Generating a Self Signed Certificate • SSL uses asymmetric cryptography,

    commonly referred to as public key cryptography (PKI). • With public key cryptography, two keys are created, one public, one private. Anything encrypted with either key can only be decrypted with its corresponding key. • Thus if a message or data stream were encrypted with the server's private key, it can be decrypted only using its corresponding public key, ensuring that the data only could have come from the server. • Openssl toolkit is used to generate an RSA Private Key and CSR (Certificate Signing Request). It can also be used to generate self-signed certificates which can be used for testing purposes or internal usage. • Make a Directory $ mkdir .ssl && cd .ssl • Generate a private key with a password, 1024 bit encrypted $ openssl genrsa -des3 -out server.key 1024 • Generate a CSR (Certificate Signing Request) $ openssl req -new -key server.key -out server.csr

32. Generating a Self Signed Certificate (Part 2) • Remove passphrase

    from the key $ cp server.key server.key.org $ openssl rsa -in server.key.org -out server.key • Generate a Self-Signed Certificate $ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt • Remove Old directory $ rm server.key.org && cd

33. Community Facts Find more at https://github.com/hashicorp/vault/ Contributors 384+ Commits 6K+

    Releases 46

34. Thank you :)