Be secret like a ninja with Mehdi LARUELLE Hashicorp Vault @D2SI
Whoami ? D2SI Me Mehdi LARUELLE Cloud & Automation @mehdilaruelle
Github Access
Table of contents Contextualization 1 How does Vault work ? 2 Steps to become a ninja 3 Demonstration 4
// Contextualization 1
Problem ? Mail Code
Vault ? Why ?
// How does Vault work ? 2
Methods & Engines Auth methods App Users ● LDAP ● Approle (pipeline) ● RADIUS ● TLS Certificate ● OKTA ● Kubernetes ● JWT ● JWT / OIDC ● Github ● AliCloud / Azure / AWS / GCP ● LDAP
Methods & Engines Secrets engines Dynamic Encryption as Static secrets secrets a Service K/V Cloud Technology Others Transit ● Alicloud ● Active ● PKI Directory ● SSH ● AWS ● GCP ● Consul ● TOTP ● Database ● GCP KMS ● Azure ● Nomad ● RabbitMQ
// Steps to become a ninja 3
Steps to be a ninja Put secrets in Make secrets Encrypt sensitive Find secrets Vault dynamics data
Steps to be a ninja Put secrets in Make secrets Encrypt sensitive Find secrets Vault dynamics data
Approle
How is it working ? 1. Send Secret ID 2. Auth with Approle 3. Get Token 1. Send Role ID 4. Get secrets with Vault token
Steps to be a ninja Put secrets in Make secrets Encrypt sensitive Find secrets Vault dynamics data
Secret as a Service 1.Ask DB credentials 3.Get credentials 5.Ask to revoke credentials 2.Vault create credentials 4.Application use credentials into DB and retrieve it to authenticate into DB s l a i t n e d e r c e k o v e R . 6
Steps to be a ninja Put secrets in Make secrets Find secrets Encrypt data Vault dynamics
EaaS: Encryption as a Service Application A Application B 1.Put raw data 5.Put encrypted data 2.Get encrypted data 6.Get decrypted data 3. Put encrypted data 4. Get encrypted data
Demonstration
To infinity... and beyond! Consul service mesh envconsul and / or consul- template Vault Agent
Question ? The last but not least
Recommend
More recommend
