ARE YOUR PASSWORDS SECURE? HashiCorp Vault & Spring Vault

ARE YOUR PASSWORDS SECURE? HashiCorp Vault & Spring Vault

What is a secret?
Why we must change our way
HashiCorp Vault
Use Cases
Architecture
Installation and Config Secrets Backends
Statics and Dynamics Secrets Demo

9121bbd9f3feb1f85dacef76f626c049?s=128

Walid El Sayed Aly

November 24, 2017
Tweet

Transcript

  1. ARE YOUR PASSWORDS SECURE? New Methods 
 Increase Security @welsayedaly

  2. @welsayedaly Walid El Sayed Aly

  3. http://bit.ly/2zFWyBR

  4. What is a secret? Why we must change our way

    HashiCorp Vault Use Cases Architecture Installation and Config Secrets Backends Statics and Dynamics Secrets Demo AGENDA
  5. Spring Vault with HashiCorp Vault What does Spring Vault offer?

    Which HTTP clients support Spring Vault? Demo Static (Key/Value) & Dynamic (PostgresSQL) AGENDA
  6. CHAPTER 1 HashiCorp Vault

  7. What is a secret?

  8. A secret is anything used for authentication or authorization: user/password,

    API tokens, TLS certificate, etc. can be also any sensitive data that could be confidential, like credit cards, social security numbers, e-mail, etc.
  9. Why you must change your way to save secrets.

  10. None
  11. None
  12. “If you connect it to the Internet, someone will try

    to hack it.” Brian Krebs
  13. HashiCorp Vault

  14. HashiCorp Vault Vault provides a single interface for each secret

    It saves, stores and manages passwords, certificates and tokens Vault records a detailed audit log
  15. HashiCorp Vault Use Cases Secret Management Dynamic Secrets Encrypting as

    a service Prevailing Access Management Leasing and Renewal Revocation
  16. HashiCorp Vault Architecture

  17. HashiCorp Vault Installation vault server -config=/path_to_vault_config_file -dev -dev-root-token-id="9746523452" -dev-listen-address="127.0.0.1:8201" Do

    Not Run DEV Modus in Production!
  18. Vault Config File backend "inmem" { } listener "tcp" {

    address = "127.0.0.1:8200" tls_cert_file=“/Path_CERT_FILE” tls_key_file=“Path_CERT_KEY_FILE” tls_min_version="tls10" } disable_mlock = true
  19. Vault Secret Backend Systems Databases: MySQL, Postgres, Oracle, SAP HANA

    NoSQL: MongoDB, Cassendra Cloud Backends: AWS Key/Value: physical storage
  20. Vault Static and Dynamic Secrets Static secrets are like Key/Value

    secrets Dynamic secrets are generated when they are accessed
  21. None
  22. CHAPTER 2 Spring Vault with HashiCorp Vault

  23. Spring Vault dependencies { compile 'org.springframework.vault:spring-vault-core: 2.0.0.M3' }repositories { maven

    { url 'https://repo.spring.io/libs-milestone' } }
  24. Spring Vault provides abstractions and client-side support for accessing, storing

    and revoking secrets with HashiCorp Vault Vault Repositories: like the concept of Spring Data, offer Spring Vault CRUD Operation to access Secrets from HashiCorp
  25. Spring Vault Reactive Vault Client Audit authentication steps to compose

    authentication flows
  26. Spring Vault Which HTTP Clients support Spring Vault? RestTemplate Apache

    Http Components Java java.net.URLConnection (HttpURLConnection) Netty OkHttp 3 von square
  27. None
  28. Conclusion Secure your data and do not only decrypt Use

    new technology like HashiCorp to manage your secrets Apps and OPS mustn’t know which secrets they use Spring Vault is nice to use for apps that already use Spring frameworks
  29. Are Your Passwords Secure?

  30. THANK YOU