Hashicorp Vault - Managing secrets
0. On Secrets
Protecting secrets
a) Audit - Verify and log the use of individual secrets to a central system
b) Encrypt - Always encrypt secrets in transit with TLS and at rest
c) Rotate - change a secret regulary or in case of suspected compromise
d) Isolate - Separate where secrets are used from where secrets are managed
1. Vault Overview:
-manages (generates, stores, revokes) static and dynamic secrets
-provides data encryption service
-auditing
-plug gable storage and secret backend architecture
-declarative authorization framework
-full HTTP API
-bunch of useful tools bound together with a unified access mechanism
-single service/API to secure, manage, design requierments/policy, and audit
2. Installation
wget https://releases.hashicorp.com/vault/1.2.3/<package_name>
unzip -d /bin <package_name>
vault
vault -autocomplete-install
exec $SHELL
a) Starting Vault Server
"Dev" Mode
-the "dev" server is a built-in, pre-configure server
-useful for local development, testing and exploration
-not very secure
-everyting is stored in-memory
-vault is automatically unsealed
-can optionally set the initial root token
3. Secrets:
-password
-token (Oauth)
-API Keys
-Symmetric Keys
-PKI Certificates
-Time-based tokens
4. Vault commands:
vault server -dev # Starting vault in development mode
vault status
vault write secret/cookie recipe=sugar
vault kv put secret/cookie recipe=sugar
vault kv get secret/cookie
vault kv get -format json secret/cookie
time to live value
5. Secure Introduction
-the process of geting that first token to a client
6.
SI Suggestions - Bare Metal
a) trusted ssh
-have a service connect to machines after deployment and provide a token/creds
b) Existing TLS setup
-use cert auth backend
c) CM tool
-part of CM tool tun can be to generate a token/creds and provide it
d) Use ramdisk or TPM
-have a process periodically refresh it (perhaps Consul-Template)
-bake an AppRole role-ID as part of the install image, store a Secret-ID
e) Auth backend
-AppRole
-Certifivates
-Userpass
-Straight-up Tokens
f) think about reboot survivability ; make token/creds deployment part of post-reboot flow
SI suggestions -VM -> similar to bare metal
SI Suggestions - Containers
a) Leverage your orchestrator
-Nomad: built-in support, verified agains job submission user's access
-Mesos: vault-gatekeeper-mesos
-Kubernetes: some various third party options - working on more
-Cloud Foundry: Vault Service Broker
SI Suggestions - AWS (any others)
a) Use AWS as a trusted third party
-AWS auth backend
*Can use EC2 instance metadata or IAM credentials (EC2, ECS, Lambda, users)
*very granualar scoping for EC2 machines
b) Non-AWS
-Nothing yet, but we want to support other cloud providers, and they want to support us
SI Suggestions
a) For long running services, often best combination of options:
-periodic tokens (no EOL if constantly refreshed)
*token lifetime scoped in step with application lifetime
-full failure
*do not restart your app or reboot yoour Vm; destroy infra and let it be created
** often easier to inject creds/token into the creation / post-creation step than handle the reboot scenario
b) takt to us
-mailing list a good place to get input from others-customers - talk to SEs, we can help provide ideas and guidance
PKI/X.509
-vault is very flaxible certificate authority
-API driven , making easy to get certs to your hosts
-roles are extremely granular
-multiple mounts can be used:
*root*intermediate 1
*intermediate 2
-switch between intermediates to handle key rolling requirements
a) PKI Role Options
-Allowed domains
*bare (foo.com), subdomain (X.foo.com), glob (ftp*.foo.com)
-SANs
*DNS, IP, Email address
-key Usage Control
-Extended Key Usages
*Client Auth, Server Auth, Code Signing, Email
-CSR Signing or Key Generation
*RSA, ECDSA
-Static OU/Organization Values
7. What is "Secrets Sprawl"?
8. How does Vault address secrets sprawl?
9. how does Vault work?
10. How do ypu implement Vault organizationally?
11. Vault 1.3 Updates
a) Active Directory
-Allow Vault to manage check in/check out rotation for Active Directory credentials.
b) Entropy Augmentation
-Allow Vault Enterprise to sample entropy from external cryptographic modules.
c) KMIP with 1.3
d) Kubernetes Sidecar
-Inject application pods with Vault tokens via a mutating webhook service
e) Vault Debug
- a new CLI commands to gather health metrics of Vault nodes
Protecting secrets
a) Audit - Verify and log the use of individual secrets to a central system
b) Encrypt - Always encrypt secrets in transit with TLS and at rest
c) Rotate - change a secret regulary or in case of suspected compromise
d) Isolate - Separate where secrets are used from where secrets are managed
1. Vault Overview:
-manages (generates, stores, revokes) static and dynamic secrets
-provides data encryption service
-auditing
-plug gable storage and secret backend architecture
-declarative authorization framework
-full HTTP API
-bunch of useful tools bound together with a unified access mechanism
-single service/API to secure, manage, design requierments/policy, and audit
2. Installation
wget https://releases.hashicorp.com/vault/1.2.3/<package_name>
unzip -d /bin <package_name>
vault
vault -autocomplete-install
exec $SHELL
a) Starting Vault Server
"Dev" Mode
-the "dev" server is a built-in, pre-configure server
-useful for local development, testing and exploration
-not very secure
-everyting is stored in-memory
-vault is automatically unsealed
-can optionally set the initial root token
3. Secrets:
-password
-token (Oauth)
-API Keys
-Symmetric Keys
-PKI Certificates
-Time-based tokens
4. Vault commands:
vault server -dev # Starting vault in development mode
vault status
vault write secret/cookie recipe=sugar
vault kv put secret/cookie recipe=sugar
vault kv get secret/cookie
vault kv get -format json secret/cookie
time to live value
5. Secure Introduction
-the process of geting that first token to a client
6.
SI Suggestions - Bare Metal
a) trusted ssh
-have a service connect to machines after deployment and provide a token/creds
b) Existing TLS setup
-use cert auth backend
c) CM tool
-part of CM tool tun can be to generate a token/creds and provide it
d) Use ramdisk or TPM
-have a process periodically refresh it (perhaps Consul-Template)
-bake an AppRole role-ID as part of the install image, store a Secret-ID
e) Auth backend
-AppRole
-Certifivates
-Userpass
-Straight-up Tokens
f) think about reboot survivability ; make token/creds deployment part of post-reboot flow
SI suggestions -VM -> similar to bare metal
SI Suggestions - Containers
a) Leverage your orchestrator
-Nomad: built-in support, verified agains job submission user's access
-Mesos: vault-gatekeeper-mesos
-Kubernetes: some various third party options - working on more
-Cloud Foundry: Vault Service Broker
SI Suggestions - AWS (any others)
a) Use AWS as a trusted third party
-AWS auth backend
*Can use EC2 instance metadata or IAM credentials (EC2, ECS, Lambda, users)
*very granualar scoping for EC2 machines
b) Non-AWS
-Nothing yet, but we want to support other cloud providers, and they want to support us
SI Suggestions
a) For long running services, often best combination of options:
-periodic tokens (no EOL if constantly refreshed)
*token lifetime scoped in step with application lifetime
-full failure
*do not restart your app or reboot yoour Vm; destroy infra and let it be created
** often easier to inject creds/token into the creation / post-creation step than handle the reboot scenario
b) takt to us
-mailing list a good place to get input from others-customers - talk to SEs, we can help provide ideas and guidance
PKI/X.509
-vault is very flaxible certificate authority
-API driven , making easy to get certs to your hosts
-roles are extremely granular
-multiple mounts can be used:
*root*intermediate 1
*intermediate 2
-switch between intermediates to handle key rolling requirements
a) PKI Role Options
-Allowed domains
*bare (foo.com), subdomain (X.foo.com), glob (ftp*.foo.com)
-SANs
*DNS, IP, Email address
-key Usage Control
-Extended Key Usages
*Client Auth, Server Auth, Code Signing, Email
-CSR Signing or Key Generation
*RSA, ECDSA
-Static OU/Organization Values
7. What is "Secrets Sprawl"?
8. How does Vault address secrets sprawl?
9. how does Vault work?
10. How do ypu implement Vault organizationally?
11. Vault 1.3 Updates
a) Active Directory
-Allow Vault to manage check in/check out rotation for Active Directory credentials.
b) Entropy Augmentation
-Allow Vault Enterprise to sample entropy from external cryptographic modules.
c) KMIP with 1.3
d) Kubernetes Sidecar
-Inject application pods with Vault tokens via a mutating webhook service
e) Vault Debug
- a new CLI commands to gather health metrics of Vault nodes
Komentarze
Prześlij komentarz