am I? • from Hamburg Germany • ~ 20 years Linux • Python Core Developer – maintainer of ssl, hashlib – Coverity Scan – PEP 370, 452, 456, 543 – security team
• chroot on steroids private view of and limited access to system • packaging solution “reproducible” build • deployment mechanism • mostly stateless (insects) • sometimes stateful (elephants)
/ Speed • Hot / Online used a lot, automated • Cold / Offline used rarely, human interaction • Fast / Dynamic regular change, automatic rotation • Slow / Static change is “big”
pre-conditions • data center is protected • hardware is safe (CPU UEFI, firmwares, …) TPM remote attestation • Kernel and OS are secure SecureBoot, CoreBoot (Heads), dm-verity • container run-time and orchestration are secure • PKI with trusted CA
practices • encrypt at rest (encrypted storage) • encrypt in transit • audit log • access control (RBAC, HBAC) • identity • rollover / renewal • least amount of privileges • no cleartext secrets on the file system
vars • directory traversal attack • debug tools • other means GET /download?file=../proc/self/environ GET /download?file=../proc/self/environ SELECT getenv('secret');
Definition according to wikitionary Latin • protection, safekeeping • custody, guardianship English • Care (concern, responsibility) • pyx (box) ◦ housing of a ship’s compass ◦ container for consecrated bread
is Custodia? • Technology (not yet a product) • Secrets-as-a-Service API ◦ Existing solutions push secrets to client ◦ Actively request secrets from a service • Secrets transport and routing layer definition • Pluggable authentication and authorization • Reference implementation in Python
is Custodia not? • Custodia is not intended to replace CoreOS etcd, OpenStack, Barbican, Hashicorp Vault etc. • Custodia is not a secrets storage server ◦ adapter to existing solutions • Custodia is not limited to containers • Custodia is not just a proof of concept ◦ FreeIPA / Red Hat IdM
analysis results • No secrets on the file system • Strong encryption at rest and in transit • End-to-end encryption • Reduce access and exposure • Audit logs • Key rotation for stateful containers PCI-DSS compliance
principles • Applications request secrets (active pull) • Use standard protocols and data formats • Make it easy to write clients, servers and integration • Flexible (authentication, authentication, storage) • Extensible (secrets on demand, HSM) • Dynamic secrets
• Simple interface for developers (API) • Decoupled layers give flexibility • Configuration and policies are moved to infrastructure Let ops take care of secrets • Vendor agnostic management and storage Standardization in progress!
sockets to the rescue! • Run Custodia in host PID namespace • Mount Unix socket into containers • getsockopt() SO_PEERCRED PID, effective UID, effective GID • getsockopt() SO_PEERSEC SELinux process label (sVirt) • /proc/PID/cgroup Docker container ID (HACK)
master Architecture diagram Container Custodia Application Application Custodia Custodia Key Store Key Store Key Store Key Store Key Store Integration on the system over a local socket • Kubernetes node • VM
FreeIPA Vault & Dogtag PKI • Dogtag PKI KRA (key recovery agent) • LDAP storage with 389-DS master-master replication and replication topology • Encrypted in transit and on disk optional support for HSM (hardware security module) • GSSAPI / Kerberos authentication • Central access control • Signed, tamper-proof audit log
tiran
kangnux
mraible
urmot
daisukeshinoku
bkuhlmann
kishida
har1101
niftycorp
ivargrimstad
ttskch
nagainaganawa
youkidearitai
pauljervisheath
palkan
bryan
sachag
hannesfritz
caitiem20
lauravandoore
destraynor
nonsquared
schacon
moore
samanthasiow
