Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Introduction to Vault

Introduction to Vault

Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. Vault handles leasing, key revocation, key rolling, and auditing. Vault presents a unified API to access multiple backends: HSMs, AWS IAM, SQL databases, raw key/value, and more.

This talk covers the design and brief tutorial of Vault.

Seth Vargo

May 20, 2015
Tweet

More Decks by Seth Vargo

Other Decks in Technology

Transcript

  1. VAULT
    MODERN SECRETS MANAGEMENT

    View full-size slide

  2. SECRET  MANAGEMENT

    View full-size slide

  3. WHAT IS A SECRET?
    Security-sensitive information
    Personally-identifiable information (PII)
    DB User/Pass, AWS IAM Credentials, SSL Keys, Encryption Keys
    Anything that would make the news

    View full-size slide

  4. HOW DO I DISTRIBUTE SECRETS?
    How do applications get secrets?
    How do operators get secrets?
    How do secrets get updated?
    How do secrets get revoked?

    View full-size slide

  5. package main
    const(
    mysqlUser = "root"
    mysqlPass = "s3(Ret
    )
    secure  master cat main.go

    View full-size slide

  6. {
    "mysql_user": "root",
    "mysql_pass": "s3(Ret"
    }
    secure  master cat config.son

    View full-size slide

  7. WHY NOT CONFIG MANAGEMENT?
    Centrally stored
    Eventually consistent
    No access control
    No auditing
    No revocation

    View full-size slide

  8. WHY NOT (ONLINE) DATABASES?
    RDBMS, Consul, ZooKeeper, etc
    Not designed for secrets
    Limited access controls
    Plaintext Storage
    No Auditing, Revocation

    View full-size slide

  9. OPERATOR ACCESS
    Separate from application access
    Dropbox, Wiki, sneaker web
    Zero visibility or control

    View full-size slide

  10. SECRET SPRAWL
    Secret material is distributed
    Who has access?
    When were secrets used?
    What is the attack surface?
    What do we do in the event of a compromise?

    View full-size slide

  11. “BREAK GLASS” PROCEDURE
    Access Revocation
    Key Rolling
    Audit Trails

    View full-size slide

  12. STATE OF THE WORLD
    Secret Sprawl
    Decentralized Keys
    Limited Visibility
    Poorly defined “break glass” procedures

    View full-size slide

  13. SECRET  MANAGEMENT  2.0

    View full-size slide

  14. VAULT
    MODERN SECRETS MANAGEMENT

    View full-size slide

  15. VAULT GOALS
    Single source for Secrets
    Programmatic Application Access (Automated)
    Operator Access (Manual)
    Practical Security
    Modern Data Center Friendly

    View full-size slide

  16. VAULT FEATURES
    Secure Secret Storage (in-memory, Consul, file, and more)
    Dynamic Secrets
    Leasing, Renewal, and Revocation
    Auditing
    Rich ACLs
    Multiple Client Authentication Methods

    View full-size slide

  17. SECURE SECRET STORAGE
    Data is encrypted in transit and at rest
    256bit AES in GCM mode
    TLS 1.2 for clients
    No HSM required

    View full-size slide

  18. Success! Data written to: secret/foo
    secure  master vault write secret/foo bar=bacon

    View full-size slide

  19. Key Value
    lease_id secret/foo/2a798f6f-00da-8d48-659a-ef1c969f23ed
    lease_duration 2592000
    lease_renewable false
    bar bacon
    secure  master vault read secret/foo

    View full-size slide

  20. DYNAMIC SECRETS
    Never provide “root” credentials to clients
    Provide limited access credentials based on role
    Generated on  demand when requested
    Leases are enforceable via revocation
    Audit trail can identify point of compromise

    View full-size slide

  21. Successfully mounted 'postgresql' at 'postgresql'!
    secure  master vault mount postgresql

    View full-size slide

  22. ## DESCRIPTION
    The PostgreSQL backend dynamically generates database users.
    After mounting this backend, configure it using the endpoints within
    the "config/" path.
    ## PATHS
    The following paths are supported by this backend. To view help for
    any of the paths below, use the help command with any route matching
    the path pattern. Note that depending on the policy of your auth token,
    secure  master vault help postgresql

    View full-size slide

  23. vault write postgresql/config/connection \
    value="user=hashicorp password=hashicorp database=hashicorp"
    Success! Data written to: postgresql/config/connection
    secure  master \

    View full-size slide

  24. vault write postgresql/roles/production name=production
    Success! Data written to: postgresql/roles/production
    secure  master \

    View full-size slide

  25. Key Value
    lease_id postgresql/creds/production/2d483e34-2d82-476...
    lease_duration 3600
    lease_renewable true
    password 80e6ffa5-d6e9-beb1-e630-9af0c41299bb
    username vault-root-1432058168-8081
    secure  master vault read postgresql/creds/production

    View full-size slide

  26. Key Value
    lease_id postgresql/creds/production/a99b952e-222c-6eb...
    lease_duration 3600
    lease_renewable true
    username vault-root-1432058254-7887
    password 17a21ba7-8726-97e4-2088-80b7a756702b
    secure  master vault read postgresql/creds/production

    View full-size slide

  27. DYNAMIC SECRETS
    Pluggable Backends
    AWS, Consul, PostgreSQL, MySQL, Transit, Generic
    Grow support over time

    View full-size slide

  28. LEASING, RENEWAL, AND REVOCATION
    Every Secret has a Lease*
    Secrets are revoked at the end of the lease unless renewed
    Secrets may be revoked early by operators
    “Break Glass” procedure
    Dynamic Secrets make leases enforceable
    Not possible for arbitrary secrets
    Not possible for transit backend

    View full-size slide

  29. AUDITING
    Pluggable Audit Backends
    Request and Response Logging
    Prioritizes Safety over Availability
    Secrets Hashed in Audits
    Searchable, but not reversible

    View full-size slide

  30. RICH ACLS
    Role Based Policies
    Restrict access to “need to know”
    Default Deny, must be explicitly allowed

    View full-size slide

  31. FLEXIBLE AUTH
    Pluggable Backends
    Tokens, GitHub, AppID, User/Pass, TLS Certs
    Machine-Oriented vs Operator-Oriented

    View full-size slide

  32. HIGH AVAILABILITY
    Consul used for leader election
    Active/Standby
    Automatic failover

    View full-size slide

  33. UNSEALING THE VAULT
    Data in Vault encrypted
    Vault requires encryption key
    Must be provided online

    View full-size slide

  34. Sealed: true
    Key Shares: 10
    Key Threshold: 7
    Unseal Progress: 6
    High-Availability Enabled: false
    secure  master vault status

    View full-size slide

  35. Key (will be hidden):
    secure  master vault unseal

    View full-size slide

  36. Key (will be hidden):
    Sealed: false
    Key Shares: 10
    Key Threshold: 7
    Unseal Progress: 0
    secure  master vault unseal

    View full-size slide

  37. WATCHING THE WATCHMEN
    Master Key is the “key to the kingdom”
    All data could be decrypted
    Protect against insider attack
    Two-Man Rule

    View full-size slide

  38. SHAMIR SECRET SHARING
    Protect Encrypt Key with Master Key
    Split Master Key into N shares
    T shares to recompute Master
    Quorum of key holders required to
    unseal
    Default N:5, T:3

    View full-size slide

  39. SUMMARY
    Solves the “Secret Sprawl Problem”
    Protects against external threats (Cryptosystem)
    Protects against internal threads (ACLs and Secret Sharing)

    View full-size slide

  40. BUILDING  ON  VAULT

    View full-size slide

  41. SECURITY FOUNDATION
    Base of Trust
    Core Infrastructure
    Flexible Architecture
    Foundation for Security Infrastructure

    View full-size slide

  42. PERSONALLY IDENTIFIABLE INFORMATION
    PII information is everywhere
    SSN, CC#, OAuth Tokens, etc.
    Email? Physical address?
    Security of storage?
    Scalability of storage?
    Audibility of access?

    View full-size slide

  43. PII WITH VAULT
    “transit” backend in Vault
    Encrypt/Decrypt data in transit
    Avoid secret management in client applications
    Builds on Vault foundation

    View full-size slide

  44. TRANSIT BACKEND
    Web server has no encryption keys
    Requires two-factor compromise (Vault + Datastore)
    Decouples storage from encryption and access control

    View full-size slide

  45. FUTURE: CERTIFICATE AUTHORITY
    Vault acts as Internal CA
    Vault stores root CA keys
    Dynamic Secrets - Generates signed TLS keys
    No more tears

    View full-size slide

  46. FUTURE: MUTUAL TLS FOR SERVICES
    Dynamic CA allows all services to generate keys
    All internal service communication can use mutual TLS
    End-to-End encryption inside the datacenter

    View full-size slide

  47. SECURITY FOUNDATION
    Early days of Vault
    “transit” backend shows clever uses of primitives
    Certificate Authority extends use cases, reduces moving pieces

    View full-size slide

  48. VAULT  IN  PRACTICE

    View full-size slide

  49. USING VAULT
    API Driven
    JSON/HTTPS
    Rich CLI for humans and scripts
    Rich Client libraries

    View full-size slide

  50. APPLICATION INTEGRATION
    Vault-aware
    Native Client libraries
    Secrets only in-memory
    Safest but high-touch

    View full-size slide

  51. CONSUL TEMPLATE INTEGRATION
    Secrets templatized into application configuration
    Vault is transparent
    Lease management is automatic
    Non-secret configuration still via Consul

    View full-size slide

  52. {{ with $secret := vault "postgresql/creds/production" }}
    ---
    production:
    adapter: postgresql
    database: postgres.service.consul
    username: {{$secret.Data.username}}
    password: {{$secret.Data.password}}
    pool: {{key "production/postgres/pool"}}
    {{ end }}
    secure  master cat secrets.yml.ctmpl

    View full-size slide

  53. APPLICATION INTEGRATION
    Future: envconsul
    Vault oblivious, read environment variables
    Future: KeyWhiz-style FUSE FS
    Vault oblivious, Read “files”, in-memory only

    View full-size slide

  54. QUICK  RECAP

    View full-size slide

  55. VAULT
    Secrets Management Modernized
    Fixes the Secret Sprawl Problem
    Easy to Integrate
    Small and lightweight (15MB)
    Provides Security Foundation

    View full-size slide

  56. VAULT ROADMAP
    Planned external code audit by security research firm
    Integrate across HashiCorp tools
    Tame the Modern Datacenter

    View full-size slide

  57. THANK YOU!
    QUESTIONS?
    ! hashicorp/vault
    " https://vaultproject.io
    # [email protected]

    View full-size slide