secret management with hashicorp s vault
play

Secret Management with Hashicorp's Vault Daniel Bornkessel Secret - PowerPoint PPT Presentation

Mar 14, 2023 •6.35k likes •7.7k views

Secret Management with Hashicorp's Vault Daniel Bornkessel Secret Management with Hashicorp's Vault X Secret Management with Hashicorp's Vault Daniel Bornkessel Secret Management with Hashicorp's Vault Focus of this talk what is

  1. Secret Management with Hashicorp's Vault Vault secret backends — static secrets 1234- foo- bar 1 vault write secret/app1/api-key ├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 Vault │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 2 vault read secret/app1/api-key │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt app1 │ └── team-1-key └── encrypt └── team-1-key 3 1234- foo- bar Quelle / Max Mustermann � X

  2. Secret Management with Hashicorp's Vault Vault secret backends — dynamic secrets � 24

  3. Secret Management with Hashicorp's Vault Vault secret backends — dynamic secrets What they are • on-the- f ly created credentials (hence dynamic) for each instance of an app / user who wants a secret • usually short to medium long ttl • fully audited Quelle / Max Mustermann � 25

  4. Secret Management with Hashicorp's Vault Vault secret backends — dynamic secrets How they work (in a Nutshell) 1. provide Vault credentials for a user that has rights to create users or tokens in a remote system (e.g. db) 2. con f igure Vault with settings on how to create credentials 3. con f igure Vault with settings on how to invalidate credentials in the remote system Quelle / Max Mustermann � 26

  5. Secret Management with Hashicorp's Vault Vault secret backends — Databases � 27

  6. Secret Management with Hashicorp's Vault Vault secret backends — Databases • Idea: get access to databases • Vault gets con f igured with credentials for a database user that has necessary permissions on the database • Vault gets a policy that maps users and roles to users with con f igured permissions in the database • when user requests credentials, Vault creates a new database user on the f ly • when con f igured (usually the case), all created users have a ttl assigned — when the ttl is reached, Vault deletes the user from the database Quelle / Max Mustermann � X

  7. Secret Management with Hashicorp's Vault Vault secret backends — Databases db admin 0 config ├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 Vault │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key Quelle / Max Mustermann � 28

  8. Secret Management with Hashicorp's Vault Vault secret backends — Databases db admin vault secrets enable -path=db database 0 config ├── aws │ └── creds vault write db/config/clients \ │ ├── admin │ └── developer plugin_name=mysql-database-plugin \ ├── database │ └── creds connection_url=" admin:pw@tcp(db.example.com)/ " \ │ ├── clients │ └── contracts allowed_roles=“ clients-ro,clients-rw ” ├── pki │ └── issue │ └── example-com ├── secret vault write database/roles/ clients-ro \ │ └── team │ ├── app1 db_name=clients \ Vault │ │ └── api-keys │ │ ├── google-analytics creation_statements=“\ │ │ └── paypal │ └── app2 CREATE USER ' {{name}} '@'%' IDENTIFIED BY \ │ └── foo ├── ssh ' {{password}} '; \ │ └── creds │ ├── erika GRANT SELECT ON clients.* TO ' {{name}} '@'%';" \ │ └── erna └── transit default_ttl="1h" \ ├── decrypt │ └── team-1-key max_ttl="240h" └── encrypt └── team-1-key Quelle / Max Mustermann � 29

  9. Secret Management with Hashicorp's Vault Vault secret backends — Databases db admin vault secrets enable -path=db database 0 config ├── aws │ └── creds vault write db/config/clients \ │ ├── admin │ └── developer plugin_name=mysql-database-plugin \ ├── database │ └── creds connection_url="admin:pw@tcp(db.example.com)/" \ │ ├── clients │ └── contracts allowed_roles=“clients-ro, clients-rw” ├── pki │ └── issue │ └── example-com ├── secret vault write database/ roles / clients-ro \ │ └── team │ ├── app1 db_name=clients \ Vault │ │ └── api-keys │ │ ├── google-analytics creation_statements=“\ │ │ └── paypal │ └── app2 CREATE USER ' {{name}} '@'%' IDENTIFIED BY \ │ └── foo ├── ssh ' {{password}} '; \ │ └── creds │ ├── erika GRANT SELECT ON clients.* TO ' {{name}} '@'%';" \ │ └── erna └── transit default_ttl="1h" \ ├── decrypt │ └── team-1-key max_ttl=“240h" └── encrypt └── team-1-key Quelle / Max Mustermann � 30

  10. Secret Management with Hashicorp's Vault Vault secret backends — Databases db admin 0 create user … config 2 ├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue con f igured ttl │ └── example-com ├── secret │ └── team 5 delete user … role │ ├── app1 Vault │ │ └── api-keys │ │ ├── google-analytics } │ │ └── paypal read 1 │ └── app2 │ └── foo db /creds/clients-ro ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt App │ └── team-1-key └── encrypt └── team-1-key OK 3 db login / 4 db password Quelle / Max Mustermann � 31

  11. Secret Management with Hashicorp's Vault Vault secret backends — Databases Available Plugins: • Cassandra • HanaDB • MongoDB • MSSQL • MySQL/MariaDB • PostgreSQL • Oracle Quelle / Max Mustermann � 32

  12. Secret Management with Hashicorp's Vault Vault secret backends — Google Cloud � X

  13. Secret Management with Hashicorp's Vault Vault secret backends — Google Cloud 0 credentials.json ├── aws de f ine rolesets to generate │ └── creds │ ├── admin │ └── developer oauth2 access tokens (preferred) ├── database │ └── creds …or service account │ ├── clients │ └── contracts or Service Accounts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 Vault │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key Quelle / Max Mustermann � X

  14. Secret Management with Hashicorp's Vault Vault secret backends — Google Cloud create token / 0 2 credentials.json ├── aws service account │ └── creds │ ├── admin │ └── developer GCP ├── database │ └── creds …or service account │ ├── clients Api │ └── contracts ├── pki │ └── issue con f igured │ └── example-com ├── secret │ └── team │ ├── app1 roleset Vault │ │ └── api-keys │ │ ├── google-analytics read │ │ └── paypal } 1 │ └── app2 │ └── foo gcp /token/dev ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt App │ └── team-1-key └── encrypt └── team-1-key 4 oauth2 token/ oauth2 token / 3 service account service account ttl key key Quelle / Max Mustermann � X

  15. Secret Management with Hashicorp's Vault Vault secret backends — AWS � 33

  16. Secret Management with Hashicorp's Vault Vault secret backends — AWS • Idea: get access to AWS resources • Vault gets con f igured with an AWS user that has necessary permissions • Vault gets a policy that maps users or roles to AWS roles • when user requests credentials, Vault creates STS tokens, assume role tokens or dynamic IAM users • when con f igured (usually the case), all created secrets have a ttl assigned Quelle / Max Mustermann � X

  17. Secret Management with Hashicorp's Vault Vault secret backends — AWS aws_access_key 0 aws_secret_key ├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 Vault │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key Quelle / Max Mustermann � 34

  18. Secret Management with Hashicorp's Vault Vault secret backends — AWS aws_access_key create STS / 0 2 aws_secret_key ├── aws IAM user │ └── creds │ ├── admin │ └── developer AWS ├── database │ └── creds │ ├── clients Api │ └── contracts ├── pki │ └── issue con f igured │ └── example-com ├── secret │ └── team │ ├── app1 role Vault │ │ └── api-keys │ │ ├── google-analytics read │ │ └── paypal } 1 │ └── app2 │ └── foo aws /creds/dev ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt App │ └── team-1-key └── encrypt └── team-1-key 4 TTL’ed Token / TTL’ed Token / 3 credentials credentials ttl Quelle / Max Mustermann � 35

  19. Secret Management with Hashicorp's Vault Vault secret backends — PKI � 36

  20. Secret Management with Hashicorp's Vault Vault secret backends — PKI • Idea: issue client certi f icates on the f ly • Vault gets con f igured a CA Certi f icate and a private key • Vault gets a con f iguration about how certi f icates for this CA should be issues (ttl, subject, etc.) • when user requests credentials, Vault issues a certi f icate on the f ly • when con f igured (usually the case), all created certi f icates have a ttl assigned Quelle / Max Mustermann � X

  21. Secret Management with Hashicorp's Vault Vault secret backends — PKI add ca.cert & 0 ca.key ├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 Vault │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key Quelle / Max Mustermann � 37

  22. Secret Management with Hashicorp's Vault Vault secret backends — PKI add ca.cert & 0 ca.key ├── aws create client │ └── creds │ ├── admin 2 │ └── developer certificate ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue con f igured │ └── example-com ├── secret │ └── team │ ├── app1 role Vault │ │ └── api-keys │ │ ├── google-analytics write │ │ └── paypal } 1 │ └── app2 │ └── foo pki /issue/dev ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt App │ └── team-1-key └── encrypt └── team-1-key 3 TTL’ed client certificate Quelle / Max Mustermann � 38

  23. Secret Management with Hashicorp's Vault Vault secret backends — SSH � 39

  24. Secret Management with Hashicorp's Vault Vault dynamic secret backends — ssh One-Time SSH Passwords • Idea: get ssh access to machines • every host in the system has a small Vault-helper process running • user fetches a one time password from Vault • when authenticating via ssh, the Vault-helper checks, whether the one time password is valid and deletes it Quelle / Max Mustermann � X

  25. Secret Management with Hashicorp's Vault Vault secret backends — SSH 1 vault write ssh/creds/dev ip=1.1.2.2 ├── aws │ └── creds │ ├── admin │ └── developer username / otp ├── database 2 │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 Vault │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit Host ├── decrypt │ └── team-1-key └── encrypt └── team-1-key 1.1.2.2 3 ssh username@1.1.2.2 validate 4 otp grant access 5 Quelle / Max Mustermann � 40

  26. Secret Management with Hashicorp's Vault Vault dynamic secret backends — ssh Signed SSH Certi f icates • Idea: get ssh access to machines • user con f igures Vault-ssh with a CA, a private and a public key • the public key gets distributed to all system hosts • the user asks Vault to sign one of his public ssh keys with the provided CA and gets a new, signed public key as a response • the user can use this new, signed key to login to machines Quelle / Max Mustermann � 41

  27. Secret Management with Hashicorp's Vault Vault dynamic secret backends — Transit � 42

  28. Secret Management with Hashicorp's Vault Vault dynamic secret backends — Transit • Idea: de- and encrypt data without handling private keys • User creates a new transit path in Vault • Users can encrypt data by writing the data to this transit path (e.g. transit/encrypt/my-keys/foo ) • Users with suf f icient permissions can decrypt data by writing to the respective transit path (e.g. transit/decrypt/my-keys/foo ) • the private key never leaves Vault • the data is not stored on Vault (hence the name transit) Quelle / Max Mustermann � X

  29. Secret Management with Hashicorp's Vault Vault secret backends — Transit foo 1 vault write transit/ en crypt/ app /app1 ├── aws │ └── creds │ ├── admin │ └── developer 2 ├── database │ └── creds │ ├── clients ¯:çÆ │ └── contracts ├── pki # ² ^? │ └── issue │ └── example-com áV¬Î ├── secret │ └── team │ ├── app1 Vault │ │ └── api-keys ¯:çÆ │ │ ├── google-analytics │ │ └── paypal # ² ^? │ └── app2 3 vault write transit/ de crypt/ app /app1 │ └── foo áV¬Î ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt App │ └── team-1-key └── encrypt └── team-1-key 4 foo Quelle / Max Mustermann � 43

  30. Secret Management with Hashicorp's Vault Vault secret backends • • AWS Tokens • • Consul ├── aws LDAP │ └── creds │ ├── admin • • Cubbyhole │ └── developer AWS ├── database │ └── creds • • Databases │ ├── clients Kubernetes │ └── contracts ├── pki • │ └── issue • Identity │ └── example-com Google Cloud ├── secret │ └── team • • Static secrets (Key /Value) │ ├── app1 Username & Password Vault │ │ └── api-keys │ │ ├── google-analytics • • Nomad │ │ └── paypal AppRole │ └── app2 │ └── foo • • PKI (Certi f icates) ├── ssh │ └── creds GitHub │ ├── erika │ └── erna • • RabbitMQ └── transit MFA ├── decrypt │ └── team-1-key • • SSH └── encrypt Okta └── team-1-key • • TOTP RADIUS • • Transit TLS Certi f icates Quelle / Max Mustermann � 44

  31. Secret Management with Hashicorp's Vault Vault — auth backends � 45

  32. Secret Management with Hashicorp's Vault Vault auth backends • • AWS Tokens • • Consul ├── aws LDAP │ └── creds │ ├── admin • • Cubbyhole │ └── developer AWS ├── database │ └── creds • • Databases │ ├── clients │ └── contracts Kubernetes ├── pki • │ └── issue • Identity │ └── example-com Google Cloud ├── secret │ └── team • • Static secrets (Key /Value) │ ├── app1 Username & Password Vault │ │ └── api-keys │ │ ├── google-analytics • • Nomad │ │ └── paypal AppRole │ └── app2 │ └── foo • • PKI (Certi f icates) ├── ssh │ └── creds GitHub │ ├── erika │ └── erna • • RabbitMQ └── transit MFA ├── decrypt │ └── team-1-key • • SSH └── encrypt Okta └── team-1-key • • TOTP RADIUS • • Transit TLS Certi f icates Quelle / Max Mustermann � 46

  33. Secret Management with Hashicorp's Vault Vault auth backends — tokens � 47

  34. Secret Management with Hashicorp's Vault token auth • created by Vault • only way to authorize (auth-z) against Vault • returned when authenticated (auth-n) successfully • comparable to a session-id on a website • has permissions / policies assigned to it Quelle / Max Mustermann � 48

  35. Secret Management with Hashicorp's Vault token auth $ vault token create -ttl=5m -policy=admin Key Value --- ----- token d9640590-63c8-b3a6-50ac-1403c8180948 token_accessor 5a362982-f34c-3706-143a-26ada278b6cf token_duration 5m token_renewable true token_policies [admin default] Quelle / Max Mustermann � 49

  36. Secret Management with Hashicorp's Vault Vault auth backends — userpass � X

  37. Secret Management with Hashicorp's Vault userpass auth • statically created by users and stored in Vault $ vault auth enable userpass $ vault write auth/userpass/users/kesselborn \ password=foo policies=admin $ vault login -method=userpass username=kesselborn Key Value --- ----- token d9640590-63c8-b3a6-50ac-1403c8180948 . . . token_duration 5m token_policies [admin default] Quelle / Max Mustermann � X

  38. Secret Management with Hashicorp's Vault Vault auth backends — userpass • setup username / password ├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds pass │ ├── clients word │ └── contracts ├── pki 1 123 │ └── issue vault write /auth/userpass/users/foo │ └── example-com ├── secret │ └── team │ ├── app1 Vault │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key Quelle / Max Mustermann � X

  39. Secret Management with Hashicorp's Vault Vault auth backends — userpass • authenticate with a username & password ├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki 1 foo / password123 │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 Vault │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt token 2 └── team-1-key policies Quelle / Max Mustermann � X

  40. Secret Management with Hashicorp's Vault Vault auth backends — TLS certi f icates � X

  41. Secret Management with Hashicorp's Vault Vault auth backends — TLS certi f icates • setup TLS certi f icate authentication ├── aws │ └── creds │ ├── admin │ └── developer vault write auth/cert/certs/web \ ├── database │ └── creds … │ ├── clients │ └── contracts ├── pki certificate=@web-cert.pem 1 │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 Vault │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key Quelle / Max Mustermann � X

  42. Secret Management with Hashicorp's Vault Vault auth backends — TLS certi f icates • authenticate with a TLS client certi f icate ├── aws │ └── creds │ ├── admin │ └── developer ├── database │ └── creds │ ├── clients │ └── contracts ├── pki 1 │ └── issue client certificate │ └── example-com ├── secret │ └── team │ ├── app1 Vault │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt token 2 └── team-1-key policies Quelle / Max Mustermann � X

  43. Secret Management with Hashicorp's Vault Vault auth backends — external identity providers � 50

  44. Secret Management with Hashicorp's Vault Vault auth backends — LDAP / Radius / Okta auth • $SERVICE is used as an identity provider (using LDAP here) username/ username/ 1 2 password password ├── aws │ └── creds │ ├── admin │ └── developer LDAP ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 Vault │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt user: kesselborn └── team-1-key token token 4 5 3 groups: admin, employee policies policies Quelle / Max Mustermann � 51

  45. Secret Management with Hashicorp's Vault LDAP auth $ vault write auth/ldap/config \ url="ldaps://ldap.example.com" \ userattr="uid" \ userdn="ou=People,dc=innoq,dc=com" \ binddn="cn=vaultuser,dc=example,dc=com" \ bindpass="3cK{hrh7hi/Hj" \ groupdn="ou=Group,dc=example,dc=com" \ starttls=true $ vault write auth/ldap/groups/employee policies=employee $ vault write auth/ldap/users/kesselborn policies=admin Quelle / Max Mustermann � X

  46. Secret Management with Hashicorp's Vault Github auth • Github is used as an identity provider token token 1 2 ├── aws │ └── creds │ ├── admin │ └── developer Github ├── database │ └── creds │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 Vault │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt user: kesselborn └── team-1-key token 4 3 teams: kesselfaktur, innnoq policies Quelle / Max Mustermann � 52

  47. Secret Management with Hashicorp's Vault Vault auth backends — Kubernetes auth � 53

  48. Secret Management with Hashicorp's Vault Vault auth backends — Kubernetes auth 2 auth against K8s K8s token k8s API 1 ├── aws │ └── creds │ ├── admin K8s container │ └── developer ├── database /var │ └── creds API └─ run │ ├── clients └─ secrets │ └── contracts └─ kubernetes.io ├── pki └─ serviceaccount │ └── issue └─ token │ └── example-com ├── secret │ └── team │ ├── app1 Vault │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key service_account_name: app1 token token 5 4 3 service_account_namespace: default policies policies Quelle / Max Mustermann � 54

  49. Secret Management with Hashicorp's Vault Vault auth backends — Kubernetes auth 2 auth against K8s K8s token k8s API 1 ├── aws │ └── creds │ ├── admin K8s container │ └── developer app init ├── database │ └── creds API │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com Pod ├── secret │ └── team │ ├── app1 Vault │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo token 4 policies ├── ssh │ └── creds │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt success / └── team-1-key 3 failure token 5 policies Quelle / Max Mustermann � 55

  50. Secret Management with Hashicorp's Vault Vault auth backends — Kubernetes auth $ vault auth enable kubernetes $ vault write auth/kubernetes/config \ kubernetes_host=“https://api.k8s.example.com" \ kubernetes_ca_cert=“@ca.crt" $ vault write auth/kubernetes/role/demo \ bound_service_account_names=vault-auth \ bound_service_account_namespaces=default \ policies=default \ ttl=1h Quelle / Max Mustermann � X

  51. Secret Management with Hashicorp's Vault Vault auth backends — GCE auth >> � X

  52. Secret Management with Hashicorp's Vault Vault auth backends — GCE auth signed 4 verify JWT signature JWT 3 ├── aws using kid value │ └── creds │ ├── admin OAuth2 GCE │ └── developer ├── database │ └── creds API Instance against Google │ ├── clients │ └── contracts ├── pki public certi f icates │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 signed Vault │ │ └── api-keys 2 1 │ │ ├── google-analytics │ │ └── paypal JWT: │ └── app2 │ └── foo JWT { ├── ssh │ └── creds "project_id": “…”, │ ├── erika │ └── erna meta "project_number": …, └── transit ├── decrypt "zone": “…”, │ └── team-1-key data └── encrypt "instance_id": …, └── team-1-key 5 token token 6 server "instance_name": “…” "instance_creation_timestamp": … policies policies } curl -H "Metadata-Flavor: Google" \ 'http://metadata/computeMetadata/v1/instance/service-accounts/default/identity?audience=[AUDIENCE]&format=[FORMAT]'

  53. Secret Management with Hashicorp's Vault Vault auth backends — AWS auth >> � 56

  54. Secret Management with Hashicorp's Vault Vault auth backends — AWS auth • Vault checks passed in data was encrypted with a AWS private key • can be limited to instances which have a speci f ic instance role applied • can be limited (and usually is) to allow one authentication per ec2 instance only • after authentication, roles and policies are mapped as usual Quelle / Max Mustermann � X

  55. Secret Management with Hashicorp's Vault Vault auth backends — AWS auth verify PKCS#7 signature against AWS public keys 4 verify AWS 5 Instance instance Identity Document 3 PKCS#7 ├── aws │ └── creds │ ├── admin EC2 EC2 │ └── developer ├── database │ └── creds API Instance │ ├── clients │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team AWS 6 instance_id: i-a832f734 │ ├── app1 Instance Vault │ │ └── api-keys 2 1 │ │ ├── google-analytics Identity ami_id: ami-f083709d │ │ └── paypal Document │ └── app2 │ └── foo … ├── ssh PKCS#7 │ └── creds │ ├── erika │ └── erna EC2 └── transit ├── decrypt │ └── team-1-key (optionally) set instance on MetaData 8 └── encrypt └── team-1-key blacklist to avoid 7 token token 9 Services double authentication policies policies curl -s http://169.254.169.254/latest/dynamic/instance-identity/pkcs7

  56. Secret Management with Hashicorp's Vault Vault auth backends — AWS auth $ vault write auth/aws/role/dev-role \ auth_type=ec2 \ bound_ami_id=ami-fce3c696 \ policies=prod,dev max_ttl=500h $ vault write auth/aws/role/dev-role-iam \ auth_type=iam \ bound_ iam_instance_profile_arn =… \ policies=prod,dev max_ttl=500h Quelle / Max Mustermann � X

  57. Secret Management with Hashicorp's Vault Vault auth backends — AWS auth • alternatively: IAM auth method • client signs a GetCallerIdentity query using the AWS Signature v4 algorithm and submits 4 pieces of information to the Vault server to recreate a valid signed request • https:/ /www.vaultproject.io/docs/auth/aws.html#iam-auth- method Quelle / Max Mustermann � 58

  58. Secret Management with Hashicorp's Vault Vault auth backends — AppRole >> � 59

  59. Secret Management with Hashicorp's Vault Vault auth backends — AppRole • a generic approach to authenticate machines or applications • an AppRole can be created for a particular machine, a particular user on that machine, or a service spread across machines • for authenticating, two values are needed • RoleID: static, can live with an app or on a machine) • SecretID: gets created on the f ly before authenticating Quelle / Max Mustermann � X

  60. Secret Management with Hashicorp's Vault Vault auth backends — AppRole • mainly used for machines or apps to authenticate against Vault request SecretID 1 Some ├── aws │ └── creds │ ├── admin process 2 SecretID │ └── developer ├── database (puppet, chef, │ └── creds │ ├── clients etc.) │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 RoleID + Vault │ │ └── api-keys │ │ ├── google-analytics 4 │ │ └── paypal SecretID │ └── app2 │ └── foo ├── ssh 3 SecretID │ └── creds App │ ├── erika │ └── erna └── transit ├── decrypt │ └── team-1-key └── encrypt RoleID └── team-1-key token 5 policies Quelle / Max Mustermann � X

  61. Secret Management with Hashicorp's Vault Vault auth backends — AppRole • mainly used for machines or apps to authenticate against Vault request SecretID 1 Some ├── aws │ └── creds │ ├── admin process 2 wrapped SecretID │ └── developer ├── database (K8s side car, │ └── creds │ ├── clients chef, etc.) │ └── contracts ├── pki │ └── issue │ └── example-com ├── secret │ └── team │ ├── app1 unwrap Vault │ │ └── api-keys 4 │ │ ├── google-analytics SecretID │ │ └── paypal │ └── app2 wrapped │ └── foo ├── ssh 3 │ └── creds SecretID 5 SecretID App │ ├── erika │ └── erna └── transit ├── decrypt 6 │ └── team-1-key RoleID + SecretId └── encrypt RoleID └── team-1-key token policies 7 Quelle / Max Mustermann � X

  62. Secret Management with Hashicorp's Vault Vault auth backends • • AWS Tokens • • Consul ├── aws LDAP │ └── creds │ ├── admin • • Cubbyhole │ └── developer AWS ├── database │ └── creds • • Databases │ ├── clients │ └── contracts Kubernetes ├── pki • │ └── issue • Identity │ └── example-com Google Cloud ├── secret │ └── team • • Static secrets (Key /Value) │ ├── app1 Username & Password Vault │ │ └── api-keys │ │ ├── google-analytics • • Nomad │ │ └── paypal │ └── app2 AppRole │ └── foo • • PKI (Certi f icates) ├── ssh │ └── creds GitHub │ ├── erika │ └── erna • • RabbitMQ └── transit MFA ├── decrypt │ └── team-1-key • • SSH └── encrypt Okta └── team-1-key • • TOTP RADIUS • • Transit TLS Certi f icates Quelle / Max Mustermann � X

  63. Secret Management with Hashicorp's Vault Use whatever the auth you want � 60

  64. Secret Management with Hashicorp's Vault Vault • • AWS Tokens • • Consul ├── aws LDAP │ └── creds │ ├── admin • • Cubbyhole │ └── developer AWS ├── database │ └── creds • • Databases │ ├── clients Kubernetes │ └── contracts ├── pki • │ └── issue • Identity │ └── example-com Google Cloud ├── secret │ └── team • • Static secrets (Key /Value) │ ├── app1 Username & Password Vault │ │ └── api-keys │ │ ├── google-analytics • • Nomad │ │ └── paypal AppRole │ └── app2 │ └── foo • • PKI -> Kubernetes access ├── ssh │ └── creds GitHub │ ├── erika │ └── erna • • RabbitMQ └── transit MFA ├── decrypt │ └── team-1-key • • SSH └── encrypt Okta └── team-1-key • • TOTP RADIUS • • Transit TLS Certi f icates Quelle / Max Mustermann � 61

  65. Secret Management with Hashicorp's Vault Vault • • AWS Tokens • • Consul ├── aws LDAP │ └── creds │ ├── admin • • Cubbyhole │ └── developer AWS ├── database │ └── creds • • Databases │ ├── clients │ └── contracts Kubernetes ├── pki • │ └── issue • Identity │ └── example-com Google Cloud ├── secret │ └── team • • Static secrets (Key /Value) │ ├── app1 Username & Password Vault │ │ └── api-keys │ │ ├── google-analytics • • Nomad │ │ └── paypal AppRole │ └── app2 │ └── foo • • PKI (Certi f icates) ├── ssh │ └── creds GitHub │ ├── erika │ └── erna • • RabbitMQ └── transit MFA ├── decrypt │ └── team-1-key • • SSH └── encrypt Okta └── team-1-key • • TOTP RADIUS • • Transit TLS Certi f icates Quelle / Max Mustermann � 62

  66. Secret Management with Hashicorp's Vault Vault — policies � 63

  67. Secret Management with Hashicorp's Vault ├── aws │ └── creds │ ├── admin Vault — secret │ └── developer ├── database representation │ └── creds │ ├── clients │ └── contracts ├── pki • • AWS │ └── issue Tokens • │ └── example-com • Consul ├── aws LDAP │ └── creds ├── secret │ ├── admin • • Cubbyhole │ └── developer AWS ├── database │ └── team │ └── creds • • Databases │ ├── clients │ ├── app1 Kubernetes │ └── contracts ├── pki Vault │ │ └── api-keys • │ └── issue • Identity │ └── example-com Google Cloud ├── secret │ │ ├── google-analytics │ └── team • • Static secrets (Key /Value) │ ├── app1 Username & Password │ │ └── paypal Vault │ │ └── api-keys │ │ ├── google-analytics • • Nomad │ │ └── paypal │ └── app2 AppRole │ └── app2 │ └── foo │ └── foo • • PKI (Certi f icates) ├── ssh │ └── creds GitHub ├── ssh │ ├── erika │ └── erna • • RabbitMQ └── transit │ └── creds MFA ├── decrypt │ └── team-1-key • • SSH │ ├── erika └── encrypt Okta └── team-1-key │ └── erna • • TOTP RADIUS └── transit • • Transit ├── decrypt TLS Certi f icates │ └── team-1-key └── encrypt └── team-1-key Quelle / Max Mustermann � 64

  68. Secret Management with Hashicorp's Vault ├── aws ├── aws │ └── creds │ ├── admin │ └── developer │ └── creds ├── database │ └── creds │ ├── admin │ ├── clients Vault — secret │ └── contracts ├── pki │ └── developer │ └── issue │ └── example-com ├── database ├── secret │ └── team representation │ └── creds │ ├── app1 Vault │ │ └── api-keys │ │ ├── google-analytics │ ├── clients-ro │ │ └── paypal │ └── app2 │ └── clients-rw │ └── foo ├── ssh │ └── creds ├── pki │ ├── erika │ └── erna │ └── issue └── transit ├── decrypt │ └── broker │ └── team-1-key └── encrypt └── team-1-key ├── secret │ └── team │ ├── app1 Vault │ │ └── api-keys │ │ ├── google-analytics │ │ └── paypal │ └── app2 │ └── foo ├── ssh │ └── creds │ ├── developers │ └── admins └── transit ├── decrypt │ └── team-1-key └── encrypt └── team-1-key Quelle / Max Mustermann � 65

  69. Secret Management with Hashicorp's Vault ├── aws ├── aws │ └── creds │ ├── admin │ └── developer │ └── creds ├── database │ └── creds │ ├── admin │ ├── clients Vault — policies │ └── contracts ├── pki │ └── developer │ └── issue │ └── example-com ├── database ├── secret │ └── team • applied to “ f iles” or │ └── creds │ ├── app1 Vault │ │ └── api-keys │ │ ├── google-analytics │ ├── clients-ro │ │ └── paypal │ └── app2 │ └── clients-rw │ └── foo ├── ssh “directories” │ └── creds ├── pki │ ├── erika │ └── erna │ └── issue └── transit • support f ilesystem ├── decrypt │ └── broker │ └── team-1-key └── encrypt └── team-1-key ├── secret │ └── team wildcards │ ├── app1 Vault │ │ └── api-keys • control what a user can │ │ ├── google-analytics │ │ └── paypal access │ └── app2 │ └── foo • get assigned after ├── ssh │ └── creds │ ├── developers authentication │ └── admins └── transit • policies of a token can’t ├── decrypt │ └── team-1-key └── encrypt be changed └── team-1-key Quelle / Max Mustermann � 66

  70. Secret Management with Hashicorp's Vault ├── aws ├── aws │ └── creds │ ├── admin │ └── developer │ └── creds ├── database │ └── creds │ ├── admin │ ├── clients Vault — policies │ └── contracts ├── pki │ └── developer │ └── issue │ └── example-com ├── database ├── secret │ └── team │ └── creds │ ├── app1 Vault │ │ └── api-keys │ │ ├── google-analytics │ ├── clients-ro │ │ └── paypal • create c │ └── app2 │ └── clients-ro │ └── foo ├── ssh │ └── creds ├── pki │ ├── erika │ └── erna │ └── issue • read └── transit r ├── decrypt │ └── broker │ └── team-1-key └── encrypt └── team-1-key ├── secret • update │ └── team u │ ├── app1 Vault │ │ └── api-keys • delete d │ │ ├── google-analytics │ │ └── paypal │ └── app2 • list l │ └── foo ├── ssh │ └── creds • deny d │ ├── developers │ └── admins └── transit ├── decrypt │ └── team-1-key • sudo └── encrypt s └── team-1-key Quelle / Max Mustermann � 67

Recommend

Be secret like a ninja with Mehdi LARUELLE Hashicorp Vault @D2SI Whoami ? D2SI Me Mehdi

Be secret like a ninja with Mehdi LARUELLE Hashicorp Vault @D2SI Whoami ? D2SI Me Mehdi

Be secret like a ninja with Mehdi LARUELLE Hashicorp Vault @D2SI Whoami ? D2SI Me Mehdi LARUELLE Cloud & Automation @mehdilaruelle Github Access Table of contents Contextualization 1 How does Vault work ? 2 Steps to become a

875 views • 22 slides
VAULT MODERN SECRETS MANAGEMENT CLICK ENGAGE TO RATE SESSION RATE 12

VAULT MODERN SECRETS MANAGEMENT CLICK ENGAGE TO RATE SESSION RATE 12

VAULT MODERN SECRETS MANAGEMENT CLICK ENGAGE TO RATE SESSION RATE 12 SESSIONS AND GET THE SUPERCOOL GOTO PRIZE SETH VARGO @sethvargo SECRET MANAGEMENT WHAT IS "SECRET"? SECRET VS. SENSITIVE SECRET

2.86k views • 65 slides
Issuing temporary credentials for MySQL using Hashicorp Vault Walter Heck - CTO at OlinData

Issuing temporary credentials for MySQL using Hashicorp Vault Walter Heck - CTO at OlinData

Issuing temporary credentials for MySQL using Hashicorp Vault Walter Heck - CTO at OlinData Percona Live Europe 2017 Sounds familiar? Hey, Jane Doe from that department youve never heard of wants to do some analysis and she needs

692 views • 21 slides
Vault Provider The Vault provider allows Terraform to read from, write to, and congure

Vault Provider The Vault provider allows Terraform to read from, write to, and congure

Vault Provider The Vault provider allows Terraform to read from, write to, and congure Hashicorp Vault (https://vaultproject.io/). Important Interacting with Vault from Terraform causes any secrets that you read and write to be persisted in both

1.82k views • 159 slides
Nomad HASHICORP Armon Dadgar @armon HASHICORP HASHICORP Cluster Manager Scheduler Nomad

Nomad HASHICORP Armon Dadgar @armon HASHICORP HASHICORP Cluster Manager Scheduler Nomad

Nomad HASHICORP Armon Dadgar @armon HASHICORP HASHICORP Cluster Manager Scheduler Nomad HASHICORP Cluster Manager Scheduler Nomad HASHICORP Schedulers map a set of work to a set of resources HASHICORP Work (Input) Resources Web

2.39k views • 74 slides
VH1 Presentation CRACK THE VAULT CODE Contest Description The Crack The Vault

VH1 Presentation CRACK THE VAULT CODE Contest Description The Crack The Vault

VH1 Presentation CRACK THE VAULT CODE Contest Description The Crack The Vault contest will happen like this. For four consecutive Fridays in the month of September 2014, the station will announce 1 number each hour on the hour

220 views • 6 slides
Hacking and protecting Oracle Database Vault Esteban Martnez Fay Argeniss (www.argeniss.com)

Hacking and protecting Oracle Database Vault Esteban Martnez Fay Argeniss (www.argeniss.com)

Hacking and protecting Oracle Database Vault Esteban Martnez Fay Argeniss (www.argeniss.com) July 2010 Agenda Introduction to Oracle Database Vault What is Oracle Database Vault, What changes introduce, Oracle Database Vault

688 views • 49 slides
Secret Sharing and Visual Cryptography Outline Secret Sharing Visual Secret Sharing

Secret Sharing and Visual Cryptography Outline Secret Sharing Visual Secret Sharing

Secret Sharing and Visual Cryptography Outline Secret Sharing Visual Secret Sharing Constructions Moir Cryptography Issues Secret Sharing Secret Sharing Threshold Secret Sharing (Shamir, Blakely 1979) Motivation

1.32k views • 62 slides
Basic Fit Training Vault and Skirt Curvature ClearKone is available in 11 different vaults of

Basic Fit Training Vault and Skirt Curvature ClearKone is available in 11 different vaults of

Basic Fit Training Vault and Skirt Curvature ClearKone is available in 11 different vaults of which each can be ordered in 3 different skirt curvatures; flat, medium and steep. The vault diameter is ~7.4mm and includes the spherical optic zone

579 views • 20 slides
VICTORIA'S SECRET THE WORLD'S BEST BRAS OVERVIEW Victoria's Secret Victoria's PINK Secret

VICTORIA'S SECRET THE WORLD'S BEST BRAS OVERVIEW Victoria's Secret Victoria's PINK Secret

NEW YORK LONDON SHANGHAI VICTORIA'S SECRET THE WORLD'S BEST BRAS OVERVIEW Victoria's Secret Victoria's PINK Secret Sport WE ARE MISSION VISION VALUES 8.1% GROWTH BY 2022 3BN DOMESTIC VALUE STATS WE OFFER LINGERIE PANTIES

340 views • 30 slides
Today. Polynomials. Secret Sharing. A secret! I have a secret! A number from 0 to 10. What is

Today. Polynomials. Secret Sharing. A secret! I have a secret! A number from 0 to 10. What is

Today. Polynomials. Secret Sharing. A secret! I have a secret! A number from 0 to 10. What is it? Any one of you knows nothing! Any two of you can figure it out! Example Applications: Nuclear launch: need at least 3 out of 5 people to

513 views • 23 slides
PROJECT RHAPSODY Credential Vault for Personal and Enterprise Use 1 WHAT IS RHAPSODY? A

PROJECT RHAPSODY Credential Vault for Personal and Enterprise Use 1 WHAT IS RHAPSODY? A

RSA LABS PROJECT RHAPSODY Credential Vault for Personal and Enterprise Use 1 WHAT IS RHAPSODY? A credential management service that allows individuals and employees to securely and seamlessly access any app from any device. 2 RHAPSODY

239 views • 9 slides
Playbill Vault The largest source of information about Broadway people, shows, theatres, and

Playbill Vault The largest source of information about Broadway people, shows, theatres, and

Presenting Playbill Vault The largest source of information about Broadway people, shows, theatres, and awards. A Ready Reference Instructional Presentation- Donna Edgar What is Playbill Vault.Com? PlaybillVault.com is a free comprehensive

803 views • 18 slides
Secret Sharing See: Shamir, How to Share a Secret , CACM, Vol. 22, No. 11, November 1979, pp.

Secret Sharing See: Shamir, How to Share a Secret , CACM, Vol. 22, No. 11, November 1979, pp.

Secret Sharing See: Shamir, How to Share a Secret , CACM, Vol. 22, No. 11, November 1979, pp. 612613 Eli Biham - May 3, 2005 c 497 Secret Sharing (17) How to Keep a Secret Key Securely Information can be secured by encryption under a

597 views • 23 slides
set to take off at the secret is out! The Secret is out! This years Emmys gift bags will be the

set to take off at the secret is out! The Secret is out! This years Emmys gift bags will be the

set to take off at the secret is out! The Secret is out! This years Emmys gift bags will be the international launchpad of a new Australian owned moisturizer specifically formulated for airline passengers and cabin crew. Aviation

493 views • 3 slides
Advanced Tools from Modern Cryptography Lecture 3 Secret-Sharing (ctd.) Secret-Sharing Last

Advanced Tools from Modern Cryptography Lecture 3 Secret-Sharing (ctd.) Secret-Sharing Last

Advanced Tools from Modern Cryptography Lecture 3 Secret-Sharing (ctd.) Secret-Sharing Last time (n,t) secret-sharing (n,n) via additive secret-sharing Shamir secret-sharing for general (n,t) Shamir secret-sharing is a linear

611 views • 14 slides
TOP SECRET DEFENCE ESTATE & TOP SECRET INFRASTRUCTURE New Zealand Defence Industry

TOP SECRET DEFENCE ESTATE & TOP SECRET INFRASTRUCTURE New Zealand Defence Industry

TOP SECRET DEFENCE ESTATE & TOP SECRET INFRASTRUCTURE New Zealand Defence Industry Association Members Meeting 9 May 2018, Wellington UNCLASSIFIED 2 Estate Regeneration: Building DEI capability through an Alliance TOP SECRET

715 views • 17 slides
1 What makes something a secret? What is worth keeping secret? Should secrets be

1 What makes something a secret? What is worth keeping secret? Should secrets be

S E W OME N S B USINE SS : CRE T I NOUS R S , A NT OGY , AND T HE NDIGE IGHT HROPOL H INDMARSH I AND B RIDGE C ONT RSY SL ROVE 1 What makes something a secret? What is worth keeping secret? Should secrets be revealed?

260 views • 14 slides
Secret Com puters - transcript of presentation video Hi Im Kevin McCarthy and I work on secret

Secret Com puters - transcript of presentation video Hi Im Kevin McCarthy and I work on secret

Secret Com puters - transcript of presentation video Hi Im Kevin McCarthy and I work on secret computing at Inpher and Im part of team Secret Computers. Hi Im Simon Bucket I work for Standard Chartered in Financial Crime investigations.

64 views • 4 slides
You need to get into a vault Try all combinations. Try a subset of combinations.

You need to get into a vault Try all combinations. Try a subset of combinations.

4/25/08 You need to get into a vault Try all combinations. Try a subset of combinations. Exploit weaknesses in the locks design. Open the door (drilling, torch, ). Back-door access: walls, ceiling, floor. Observe

663 views • 41 slides
SECRET i. Is it the SECRET 2 - SECURITY RUN:2t1A.1.444 1. Is it the present British

SECRET i. Is it the SECRET 2 - SECURITY RUN:2t1A.1.444 1. Is it the present British

COPY SECRET SECURITY INFORAI 718 CIWULE -- SUDJECT :uestions for Presentation toL_ London, England TO: Info:L 1. Per reference a, it is requested that you secure answers to the following questions fropel Are there any basic

385 views • 11 slides
How to Keep a Secret Key Securely Information can be secured by encryption under a secret key.

How to Keep a Secret Key Securely Information can be secured by encryption under a secret key.

How to Keep a Secret Key Securely Information can be secured by encryption under a secret key. The ciphertext can be replicated. Even if one replicated copy is lost, or stolen, Secret Sharing the information

181 views • 6 slides
Information must be Secret Metallurgical -- matters of general knowledge in an industry

Information must be Secret Metallurgical -- matters of general knowledge in an industry

Trade Secret (1) Validity Information must be Secret Metallurgical -- matters of general knowledge in an industry cannot be appropriated by one as his secret (p. 41) Restatement of Torts pp. 45, note 5 Trade Secret

517 views • 19 slides
Breaking the Circuit-Size Barrier in Secret Sharing Tianren Liu Vinod Vaikuntanathan MIT MIT

Breaking the Circuit-Size Barrier in Secret Sharing Tianren Liu Vinod Vaikuntanathan MIT MIT

Breaking the Circuit-Size Barrier in Secret Sharing Tianren Liu Vinod Vaikuntanathan MIT MIT 50th ACM Symposium on Theory of Computing June 27, 2018 Secret Sharing [Blakley79,Shamir79,Ito-Saito-Nishizeki87] Secret Secret Sharing

790 views • 75 slides

More recommend