Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Vault @ Continuous Lifecycle 2016

Vault @ Continuous Lifecycle 2016

Simon Kölsch

November 15, 2016
Tweet

More Decks by Simon Kölsch

Other Decks in Programming

Transcript

  1. The Problems > Who has access to secrets? > How

    to revoke/update secrets? > How to lease secrets? > How to not make a difference between a user and an application?
  2. The Solution > Put the secrets into a secure store

    > Create an API > Change secrets after use > Create temporary credentials > Log every access to the store
  3. DIY? > Writing secure software is hard > Writing security

    software is even harder > If your application needs HA, your infrastructure needs also HA > Writing HA security software is much much harder
  4. Why Vault? > This talk is about Vault > It

    is not the only secret store, but a nice one > Checkout Keywhiz as an alternative:
 https://square.github.io/keywhiz/ > Check your requirements!
  5. Vault HA Setup Storage Backend Storage Backend Vault Service HTTP

    API CLI Vault Service HTTP API Standby Storage Backend Active Clients Client Library Monitoring
  6. How to Interact? > CLI > RESTful API > Client

    Libraries > Go > Ruby > Java, Node, PHP, Python, Scala, C#, Ansible, …
  7. Initialize your Vault > Define key shares (-key-shares=5) > Define

    shares needed for unlocking 
 (-key-threshold=3) > Initialize > Unseal
  8. λ ~ vault init -key-shares=5 -key-threshold=3
 Unseal Key 1: pNVHTqoTwVeONEVLfHyrLjH+bD3+Q1WS1ixbI/vI9HUB

    Unseal Key 2: hsoNYsxhuEay8J71R3BZoIEsnIjGdg6cYNIFK6/XROwC Unseal Key 3: UnQ+yyIOgOmoOpKGjTc1+1odwpSFPbhZ+LGgCwwD9iED Unseal Key 4: iAf662hnv16Q0O0VrJTjUwkgPRqSeXypBhmN6DNqrWkE Unseal Key 5: XLnJQoYIh/GKGuFmZtOPCNIRYwbRMspsnnooyJC+H6QF Initial Root Token: 25d5513b-70b2-2ced-488f-7e3d718d1115 Vault initialized with 5 keys and a key threshold of 3.
 Please securely distribute the above keys.
 When the Vault is re-sealed, restarted, or stopped, you must provide at least 3 of these keys to unseal it again. Vault does not store the master key.
 Without at least 3 keys, your Vault will remain permanently sealed.
  9. λ ~ vault unseal Key (will be hidden): pNVHTqoTwVeONEVLfHyrLjH+bD3+Q1WS1ixbI/vI9HUB Sealed:

    true Key Shares: 5 Key Threshold: 3 Unseal Progress: 1
 

  10. λ ~ vault unseal Key (will be hidden): pNVHTqoTwVeONEVLfHyrLjH+bD3+Q1WS1ixbI/vI9HUB Sealed:

    true Key Shares: 5 Key Threshold: 3 Unseal Progress: 1
 [..]
 λ ~ vault unseal Key (will be hidden): UnQ+yyIOgOmoOpKGjTc1+1odwpSFPbhZ+LGgCwwD9iED Sealed: false Key Shares: 5 Key Threshold: 3 Unseal Progress: 0
  11. λ ~ vault auth 25d5513b-70b2-2ced-488f-7e3d718d1115 Successfully authenticated! You are now

    logged in. token: 25d5513b-70b2-2ced-488f-7e3d718d1115 token_duration: 0 token_policies: [root]
 
 
 

  12. λ ~ vault auth 25d5513b-70b2-2ced-488f-7e3d718d1115 Successfully authenticated! You are now

    logged in. token: 25d5513b-70b2-2ced-488f-7e3d718d1115 token_duration: 0 token_policies: [root]
 λ ~ vault write secret/somePath user=foo password=bar Success! Data written to: secret/somePath
 
 

  13. λ ~ vault auth 25d5513b-70b2-2ced-488f-7e3d718d1115 Successfully authenticated! You are now

    logged in. token: 25d5513b-70b2-2ced-488f-7e3d718d1115 token_duration: 0 token_policies: [root]
 λ ~ vault write secret/somePath user=foo password=bar Success! Data written to: secret/somePath
 
 λ ~ echo -n '{"user":"foo", "password":"bar"}'| 
 vault write secret/someOtherPath -
 Success! Data written to: secret/someOtherPath

  14. λ ~ vault read secret/somePath Key Value --- ----- refresh_interval

    768h0m0s password bar user foo 
 λ ~ vault read -format=json secret/somePath { "request_id": "f1f65da9-42d5-273e-50e9-9a3c55b479d4", "lease_id": "", "lease_duration": 2764800, "renewable": false, "data": { "password": "bar", "user": "foo" }, "warnings": null }
  15. More Secret Backends > Database Backends > SSH > Transit

    > PKI (X.509 Certificates) > Others
  16. > Consul * > etcd > Zookeeper > DynamoDB >

    Azure and S3 Storage Backends > MySQL > PostgreSQL > Filesystem * > (In Memory *) = High Availability * Officially Supported
  17. Auth Backends > Token > Username & Password > App

    Role / App ID > MFA > AWS EC2 > Github > LDAP > TLS Client Cert
  18. Auditing > Audit Backends > Syslog > File > Full

    requests / responses are logged > Sensitive data is hashed with a salt > Beware of blocking!
  19. Simon Kölsch | @simkoelsch [email protected] innoQ Deutschland GmbH Krischerstr. 100

    40789 Monheim am Rhein Germany Phone: +49 2173 3366-0 innoQ Schweiz GmbH Gewerbestr. 11 CH-6330 Cham Switzerland Phone: +41 41 743 0116 www.innoq.com Ohlauer Straße 43 10999 Berlin Germany Phone: +49 2173 3366-0 Robert-Bosch-Straße 7 64293 Darmstadt Germany Phone: +49 2173 3366-0 Radlkoferstraße 2 D-81373 München Germany Telefon +49 (0) 89 741185-270 Thank you! Questions? Comments?