Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Introduction to Vault

Introduction to Vault

Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. Vault handles leasing, key revocation, key rolling, and auditing. Vault presents a unified API to access multiple backends: HSMs, AWS IAM, SQL databases, raw key/value, and more.

This talk covers the design and brief tutorial of Vault.

Seth Vargo

May 20, 2015
Tweet

More Decks by Seth Vargo

Other Decks in Technology

Transcript

  1. VAULT
    MODERN SECRETS MANAGEMENT

    View Slide

  2. SECRET  MANAGEMENT

    View Slide

  3. WHAT IS A SECRET?
    Security-sensitive information
    Personally-identifiable information (PII)
    DB User/Pass, AWS IAM Credentials, SSL Keys, Encryption Keys
    Anything that would make the news

    View Slide

  4. HOW DO I DISTRIBUTE SECRETS?
    How do applications get secrets?
    How do operators get secrets?
    How do secrets get updated?
    How do secrets get revoked?

    View Slide

  5. package main
    const(
    mysqlUser = "root"
    mysqlPass = "s3(Ret
    )
    secure  master cat main.go

    View Slide

  6. {
    "mysql_user": "root",
    "mysql_pass": "s3(Ret"
    }
    secure  master cat config.son

    View Slide

  7. WHY NOT CONFIG MANAGEMENT?
    Centrally stored
    Eventually consistent
    No access control
    No auditing
    No revocation

    View Slide

  8. WHY NOT (ONLINE) DATABASES?
    RDBMS, Consul, ZooKeeper, etc
    Not designed for secrets
    Limited access controls
    Plaintext Storage
    No Auditing, Revocation

    View Slide

  9. OPERATOR ACCESS
    Separate from application access
    Dropbox, Wiki, sneaker web
    Zero visibility or control

    View Slide

  10. SECRET SPRAWL
    Secret material is distributed
    Who has access?
    When were secrets used?
    What is the attack surface?
    What do we do in the event of a compromise?

    View Slide

  11. View Slide

  12. “BREAK GLASS” PROCEDURE
    Access Revocation
    Key Rolling
    Audit Trails

    View Slide

  13. STATE OF THE WORLD
    Secret Sprawl
    Decentralized Keys
    Limited Visibility
    Poorly defined “break glass” procedures

    View Slide

  14. SECRET  MANAGEMENT  2.0

    View Slide

  15. VAULT
    MODERN SECRETS MANAGEMENT

    View Slide

  16. VAULT GOALS
    Single source for Secrets
    Programmatic Application Access (Automated)
    Operator Access (Manual)
    Practical Security
    Modern Data Center Friendly

    View Slide

  17. VAULT FEATURES
    Secure Secret Storage (in-memory, Consul, file, and more)
    Dynamic Secrets
    Leasing, Renewal, and Revocation
    Auditing
    Rich ACLs
    Multiple Client Authentication Methods

    View Slide

  18. SECURE SECRET STORAGE
    Data is encrypted in transit and at rest
    256bit AES in GCM mode
    TLS 1.2 for clients
    No HSM required

    View Slide

  19. Success! Data written to: secret/foo
    secure  master vault write secret/foo bar=bacon

    View Slide

  20. Key Value
    lease_id secret/foo/2a798f6f-00da-8d48-659a-ef1c969f23ed
    lease_duration 2592000
    lease_renewable false
    bar bacon
    secure  master vault read secret/foo

    View Slide

  21. DYNAMIC SECRETS
    Never provide “root” credentials to clients
    Provide limited access credentials based on role
    Generated on  demand when requested
    Leases are enforceable via revocation
    Audit trail can identify point of compromise

    View Slide

  22. Successfully mounted 'postgresql' at 'postgresql'!
    secure  master vault mount postgresql

    View Slide

  23. ## DESCRIPTION
    The PostgreSQL backend dynamically generates database users.
    After mounting this backend, configure it using the endpoints within
    the "config/" path.
    ## PATHS
    The following paths are supported by this backend. To view help for
    any of the paths below, use the help command with any route matching
    the path pattern. Note that depending on the policy of your auth token,
    secure  master vault help postgresql

    View Slide

  24. vault write postgresql/config/connection \
    value="user=hashicorp password=hashicorp database=hashicorp"
    Success! Data written to: postgresql/config/connection
    secure  master \

    View Slide

  25. vault write postgresql/roles/production name=production
    Success! Data written to: postgresql/roles/production
    secure  master \

    View Slide

  26. Key Value
    lease_id postgresql/creds/production/2d483e34-2d82-476...
    lease_duration 3600
    lease_renewable true
    password 80e6ffa5-d6e9-beb1-e630-9af0c41299bb
    username vault-root-1432058168-8081
    secure  master vault read postgresql/creds/production

    View Slide

  27. Key Value
    lease_id postgresql/creds/production/a99b952e-222c-6eb...
    lease_duration 3600
    lease_renewable true
    username vault-root-1432058254-7887
    password 17a21ba7-8726-97e4-2088-80b7a756702b
    secure  master vault read postgresql/creds/production

    View Slide

  28. DYNAMIC SECRETS
    Pluggable Backends
    AWS, Consul, PostgreSQL, MySQL, Transit, Generic
    Grow support over time

    View Slide

  29. LEASING, RENEWAL, AND REVOCATION
    Every Secret has a Lease*
    Secrets are revoked at the end of the lease unless renewed
    Secrets may be revoked early by operators
    “Break Glass” procedure
    Dynamic Secrets make leases enforceable
    Not possible for arbitrary secrets
    Not possible for transit backend

    View Slide

  30. AUDITING
    Pluggable Audit Backends
    Request and Response Logging
    Prioritizes Safety over Availability
    Secrets Hashed in Audits
    Searchable, but not reversible

    View Slide

  31. RICH ACLS
    Role Based Policies
    Restrict access to “need to know”
    Default Deny, must be explicitly allowed

    View Slide

  32. FLEXIBLE AUTH
    Pluggable Backends
    Tokens, GitHub, AppID, User/Pass, TLS Certs
    Machine-Oriented vs Operator-Oriented

    View Slide

  33. HIGH AVAILABILITY
    Consul used for leader election
    Active/Standby
    Automatic failover

    View Slide

  34. UNSEALING THE VAULT
    Data in Vault encrypted
    Vault requires encryption key
    Must be provided online

    View Slide

  35. Sealed: true
    Key Shares: 10
    Key Threshold: 7
    Unseal Progress: 6
    High-Availability Enabled: false
    secure  master vault status

    View Slide

  36. Key (will be hidden):
    secure  master vault unseal

    View Slide

  37. Key (will be hidden):
    Sealed: false
    Key Shares: 10
    Key Threshold: 7
    Unseal Progress: 0
    secure  master vault unseal

    View Slide

  38. WATCHING THE WATCHMEN
    Master Key is the “key to the kingdom”
    All data could be decrypted
    Protect against insider attack
    Two-Man Rule

    View Slide

  39. SHAMIR SECRET SHARING
    Protect Encrypt Key with Master Key
    Split Master Key into N shares
    T shares to recompute Master
    Quorum of key holders required to
    unseal
    Default N:5, T:3

    View Slide

  40. SUMMARY
    Solves the “Secret Sprawl Problem”
    Protects against external threats (Cryptosystem)
    Protects against internal threads (ACLs and Secret Sharing)

    View Slide

  41. BUILDING  ON  VAULT

    View Slide

  42. SECURITY FOUNDATION
    Base of Trust
    Core Infrastructure
    Flexible Architecture
    Foundation for Security Infrastructure

    View Slide

  43. PERSONALLY IDENTIFIABLE INFORMATION
    PII information is everywhere
    SSN, CC#, OAuth Tokens, etc.
    Email? Physical address?
    Security of storage?
    Scalability of storage?
    Audibility of access?

    View Slide

  44. PII WITH VAULT
    “transit” backend in Vault
    Encrypt/Decrypt data in transit
    Avoid secret management in client applications
    Builds on Vault foundation

    View Slide

  45. TRANSIT BACKEND
    Web server has no encryption keys
    Requires two-factor compromise (Vault + Datastore)
    Decouples storage from encryption and access control

    View Slide

  46. FUTURE: CERTIFICATE AUTHORITY
    Vault acts as Internal CA
    Vault stores root CA keys
    Dynamic Secrets - Generates signed TLS keys
    No more tears

    View Slide

  47. FUTURE: MUTUAL TLS FOR SERVICES
    Dynamic CA allows all services to generate keys
    All internal service communication can use mutual TLS
    End-to-End encryption inside the datacenter

    View Slide

  48. SECURITY FOUNDATION
    Early days of Vault
    “transit” backend shows clever uses of primitives
    Certificate Authority extends use cases, reduces moving pieces

    View Slide

  49. VAULT  IN  PRACTICE

    View Slide

  50. USING VAULT
    API Driven
    JSON/HTTPS
    Rich CLI for humans and scripts
    Rich Client libraries

    View Slide

  51. APPLICATION INTEGRATION
    Vault-aware
    Native Client libraries
    Secrets only in-memory
    Safest but high-touch

    View Slide

  52. CONSUL TEMPLATE INTEGRATION
    Secrets templatized into application configuration
    Vault is transparent
    Lease management is automatic
    Non-secret configuration still via Consul

    View Slide

  53. {{ with $secret := vault "postgresql/creds/production" }}
    ---
    production:
    adapter: postgresql
    database: postgres.service.consul
    username: {{$secret.Data.username}}
    password: {{$secret.Data.password}}
    pool: {{key "production/postgres/pool"}}
    {{ end }}
    secure  master cat secrets.yml.ctmpl

    View Slide

  54. APPLICATION INTEGRATION
    Future: envconsul
    Vault oblivious, read environment variables
    Future: KeyWhiz-style FUSE FS
    Vault oblivious, Read “files”, in-memory only

    View Slide

  55. QUICK  RECAP

    View Slide

  56. VAULT
    Secrets Management Modernized
    Fixes the Secret Sprawl Problem
    Easy to Integrate
    Small and lightweight (15MB)
    Provides Security Foundation

    View Slide

  57. VAULT ROADMAP
    Planned external code audit by security research firm
    Integrate across HashiCorp tools
    Tame the Modern Datacenter

    View Slide

  58. THANK YOU!
    QUESTIONS?
    ! hashicorp/vault
    " https://vaultproject.io
    # [email protected]

    View Slide