base64 is not encryption
play

Base64 is not encryption A better story for Kubernetes secrets - PowerPoint PPT Presentation

Jan 14, 2023 •145 likes •594 views

Base64 is not encryption A better story for Kubernetes secrets @sethvargo Developer Relations Engineer What's a secret? Secret (noun) Credentials, configurations, API keys, or other pieces of information needed by an application at build

  1. Base64 is not encryption A better story for Kubernetes secrets

  2. @sethvargo Developer Relations Engineer

  3. What's a secret?

  4. Secret (noun) Credentials, configurations, API keys, or other pieces of information needed by an application at build time or run time

  5. Why protect secrets? • Attractive target for hackers • Often leaked in repos or storage buckets • Frequently includes overly broad permissions

  6. Protecting secrets Audit Encrypt Rotate Isolate Verify and log the use Always encrypt secrets Change a secret Separate where secrets of individual secrets to in transit with TLS and regularly or in case of are used from where a central system at rest suspected compromise secrets are managed

  7. Protecting secrets Audit Encrypt Rotate Isolate Verify and log the use Always encrypt secrets Change a secret Separate where secrets of individual secrets to in transit with TLS and regularly or in case of are used from where a central system at rest suspected compromise secrets are managed

  8. Layers of encryption Application-layer encryption Service-level encryption Filesystem encryption Machine-level encryption

  9. App-layer encryption • Applied at earliest possible step • Provides protection a very granular level • Protects data as it moves through the system

  10. Kubernetes defaults

  11. Insecure by default Secrets are stored in plaintext in etcd. They are base64-encoded, but not encrypted.

  12. Insecure by default * Secrets are stored in plaintext in etcd. They are base64-encoded, but not encrypted. * Many providers alter this default behavior.

  13. == kube-apiserver etcd Master

  14. == kube-apiserver etcd Master

  15. Encraption shodan.io/search?query=etcd

  16. Demo

  17. Envelope encryption

  18. Envelope encryption Data DEK KEK Data encryption key Key encryption key

  19. 01100101 01101110 01100101 01101110 01100101 01101110 01100101 01101110 01100011 01110010 01100011 01110010 01100011 01110010 01100011 01110010 01111001 01110000 01111001 01110000 01111001 01110000 01111001 01110000 01110100 01100101 01110100 01100101 01110100 01100101 01110100 01100101 01100100 00100000 01100100 00100000 01100100 00100000 01100100 00100000 01100100 01100001 01100100 01100101 01100100 01100001 01100100 01100101 01110100 01100001 01101011 00100000 01110100 01100001 01101011 00100000 Encrypted data Encrypted DEK Storage

  20. 01100101 01101110 01100101 01101110 01100011 01110010 01100011 01110010 01111001 01110000 01111001 01110000 01110100 01100101 01110100 01100101 01100100 00100000 01100100 00100000 01100100 01100001 01100100 01100101 01110100 01100001 01101011 00100000 Encrypted data Encrypted DEK

  22. Envelope encryption • Generate unique DEKs for each data entry • Crypto-shred - revoke KEK and data is gone • Easy versioning and rotation

  23. Kubernetes 1.7 Envelope encryption

  24. kind: EncryptionConfiguration apiVersion: apiserver.config.k8s.io/v1 resources: - resources: - secrets providers: - aescbc: keys: - name: key1 secret: 9RlIhvmh1e6+Ixv0CjyUkA== - name: key2 secret: u+aswHTypAyoRKH5/P0r5A== - secretbox: keys: - name: key1 secret: 9aHuiH/wrlmWEXZp9br4og==

  25. ./kube-apiserver \ --encryption-provider-config=/etc/encryption-config.yaml \ --other-options...

  26. 01100101 01101110 01100011 01110010 01111001 01110000 01110100 01100101 01100100 00100000 01100100 01100101 01101011 00100000 kube-apiserver etcd Master EncryptionConfiguration

  27. 01100101 01101110 01100011 01110010 01111001 01110000 01110100 01100101 01100100 00100000 01100100 01100101 01101011 00100000 kube-apiserver etcd Master EncryptionConfiguration

  28. 01100101 01101110 01100011 01110010 01111001 01110000 01110100 01100101 01100100 00100000 01100100 01100101 01101011 00100000 kube-apiserver etcd Master EncryptionConfiguration

  29. Drawbacks • Need to generate keys yourself • Key management is your responsibility • Rotation is a manual process (and tedious) • No HSM integration

  30. Drawbacks The underlying encryption keys are still stored in plaintext on the filesystem!

  31. Kubernetes 1.10 KMS encryption providers

  32. kind: EncryptionConfiguration apiVersion: apiserver.config.k8s.io/v1 resources: - resources: - secrets providers: - kms: name: myKmsPlugin endpoint: unix:///tmp/kms-socketfile.sock cachesize: 100

  33. 01100101 01101110 01100011 01110010 01111001 01110000 01110100 01100101 01100100 00100000 01100100 01100101 01101011 00100000 kube-apiserver etcd KMS Master EncryptionConfiguration

  34. 01100101 01101110 01100011 01110010 01111001 01110000 01110100 01100101 01100100 00100000 01100100 01100101 01101011 00100000 kube-apiserver etcd KMS Master EncryptionConfiguration

  35. 01100101 01101110 01100011 01110010 01111001 01110000 01110100 01100101 01100100 00100000 01100100 01100101 01101011 00100000 kube-apiserver etcd KMS Master EncryptionConfiguration

  36. Existing plugins (GitHub) • GoogleCloudPlatform/k8s-cloudkms-plugin • Azure/kubernetes-kms • kubernetes-sigs/aws-encryption-provider • oracle/kubernetes-vault-kms-plugin

  37. GKE Integration (beta) gcloud beta container clusters create my-cluster --database-encryption-key-location us-east1 --database-encryption-key-keyring my-keyring --database-encryption-key my-crypto-key

  38. Initial secret problem? • IAM can solve the "first secret" problem • Delegate PAM to the cloud provider via IAM • Separate concerns: etcd nodes don't need IAM permissions to talk to KMS

  39. Vault

  40. 01100101 01101110 01100011 01110010 01111001 01110000 01110100 01100101 01100100 00100000 01100100 01100101 01101011 00100000 kube-apiserver etcd KMS Master EncryptionConfiguration

  41. Demo

  42. Summary

  43. Summary • Use at least two layers of encryption • Rotate keys regularly • Leverage envelope encryption • Protect K8S secrets using an external KMS

  44. Thanks! @sethvargo Developer Relations Engineer

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about

Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about

Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about encryption? Encryption Certificates Crypto Currencies Public Key AES Encryption Privacy SSH VPN HTTPS TLS Quantum Digital Signatures

837 views • 46 slides
Usable Encryption Class Presentation for CMSC 818D Wei Bai S Application S Hardware

Usable Encryption Class Presentation for CMSC 818D Wei Bai S Application S Hardware

Usable Encryption Class Presentation for CMSC 818D Wei Bai S Application S Hardware Encryption S Web Encryption S Email Encryption OpenPGP S S/MIME S S Online Social Network Public Key Encryption S Encryption/Decryption

842 views • 26 slides
RSA Encryption 10 February 2012 RSA Encryption 10 February 2012 1/35 We saw some methods of

RSA Encryption 10 February 2012 RSA Encryption 10 February 2012 1/35 We saw some methods of

RSA Encryption 10 February 2012 RSA Encryption 10 February 2012 1/35 We saw some methods of encryption Wednesday, but none of these is good enough to be used in actual situations. Today well talk about one method, RSA Encryption, which is

1.01k views • 59 slides
Secret-Key Encryption Introduction Encryption is the process of encoding a message in such a

Secret-Key Encryption Introduction Encryption is the process of encoding a message in such a

Secret-Key Encryption Introduction Encryption is the process of encoding a message in such a way that only authorized parties can read the content of the original message History of encryption dates back to 1900 BC Two types of

533 views • 38 slides
Functional Encryption Lecture 27 Functional Encryption Plain encryption: for secure

Functional Encryption Lecture 27 Functional Encryption Plain encryption: for secure

Functional Encryption Lecture 27 Functional Encryption Plain encryption: for secure communication. Does not allow modifying encrypted data. Homomorphic Encryption: allows computation on encrypted data, but result remains encrypted Functional

987 views • 61 slides
Encryption at Rest in ZFS Tom Caputi tcaputi@datto.com Overview of Encryption Implementation 2

Encryption at Rest in ZFS Tom Caputi tcaputi@datto.com Overview of Encryption Implementation 2

Encryption at Rest in ZFS Tom Caputi tcaputi@datto.com Overview of Encryption Implementation 2 What is Encryption? Want to prevent someone (an attacker) from accessing private data Permissions arent good enough Root user can

788 views • 20 slides
Functional Encryption for Regular Languages Brent Waters Public Key Encryption

Functional Encryption for Regular Languages Brent Waters Public Key Encryption

Functional Encryption for Regular Languages Brent Waters Public Key Encryption [DH76,M78,RSA78,GM84] Avoid Prior Secret Exchange PubK SK 2 Functional Encryption [SW05] Functionality: f( , ) MSK Authority Key: y 2 {0,1}* y SK CT: x

945 views • 16 slides
Security of Encryption Security of Encryption Perfect secrecy (IND-Onetime security) is too

Security of Encryption Security of Encryption Perfect secrecy (IND-Onetime security) is too

Defining Encryption (ctd.) Lecture 3 CPA/CCA security Computational Indistinguishability Pseudo-randomness, One-Way Functions Security of Encryption Security of Encryption Perfect secrecy (IND-Onetime security) is too strong (though too

1.36k views • 113 slides
Lecture 3 Encryption Suggested readings: Chs 1 & 2 in KPS Ch 1 in Stinson

Lecture 3 Encryption Suggested readings: Chs 1 & 2 in KPS Ch 1 in Stinson

Lecture 3 Encryption Suggested readings: Chs 1 & 2 in KPS Ch 1 in Stinson (recommended) 1 Encryption Principles A cryptosystem has (at least) five ingredients: 1. Plaintext 2. Secret Key 3. Ciphertext 4. Encryption algorithm 5.

657 views • 12 slides
Building Applications with Homomorphic Encryption A Presentation from the Homomorphic Encryption

Building Applications with Homomorphic Encryption A Presentation from the Homomorphic Encryption

Building Applications with Homomorphic Encryption A Presentation from the Homomorphic Encryption Standardization Consortium HomomorphicEncryption.org 0.1 Presenters Roger A. Hallman (SPAWAR Systems Center Pacific; Thayer School of

1.36k views • 91 slides
Goals of Encryption authenticated encryption sender Daniel J. Bernstein

Goals of Encryption authenticated encryption sender Daniel J. Bernstein

Goals of Encryption authenticated encryption sender Daniel J. Bernstein University of Illinois at Chicago & m Technische Universiteit Eindhoven c k More details, credits: competitions.cr.yp.to network

1.33k views • 118 slides
Advanced Encryption Standard Lars R. Knudsen June 2014 L.R. Knudsen Advanced Encryption

Advanced Encryption Standard Lars R. Knudsen June 2014 L.R. Knudsen Advanced Encryption

Advanced Encryption Standard Lars R. Knudsen June 2014 L.R. Knudsen Advanced Encryption Standard AES - Advanced Encryption Standard US governmental encryption standard Open (world) competition announced January 97 Blocks: 128 bits Keys:

403 views • 39 slides
Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

. . . . . . Permutation-based encryption, authentication and authenticated encryption Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint work with DIAC 2012, Stockholm, July 6 Guido Bertoni 1 ,

739 views • 49 slides
Encryption at Scale on AWS Matt Campagna campagna@amazon.com Agenda Describe the AWS Key

Encryption at Scale on AWS Matt Campagna campagna@amazon.com Agenda Describe the AWS Key

Encryption at Scale on AWS Matt Campagna campagna@amazon.com Agenda Describe the AWS Key Management Service Client Side Encryption AWS Encryption SDK Server Side Encryption S3 Object Encryption Amazon Simple Storage Service

387 views • 22 slides
Novel Encryption Method of GPS Information in Image File Using Format-preserving Encryption

Novel Encryption Method of GPS Information in Image File Using Format-preserving Encryption

Novel Encryption Method of GPS Information in Image File Using Format-preserving Encryption Changhyun Lee, Yeonju Choi, Hyeongmin Park, Kangbin Yim, and Sun-Young Lee Soonchunhyang University IMIS 2019 Presenter: Brandon Falk (

645 views • 21 slides
OPES and E2E Encryption Should OPES be compatible with end-to- end encryption? Define

OPES and E2E Encryption Should OPES be compatible with end-to- end encryption? Define

OPES and E2E Encryption Should OPES be compatible with end-to- end encryption? Define compatible Define the trust model Discuss pro and con Decide, spec, implement Goal: combine confidentiality with services, if

470 views • 11 slides
Agenda Process & Schedule Planning Context Concept Plan Campus Circulation

Agenda Process & Schedule Planning Context Concept Plan Campus Circulation

Agenda Process & Schedule Planning Context Concept Plan Campus Circulation Draft Plan & Phasing Discussion Project Schedule 1. Observations 2. Concept Plan Data Gathering August October Focus Groups

319 views • 21 slides
Reviving PLA: A Tennessee Initiative to Increase Adult Student Success and Completion N ORTH C

Reviving PLA: A Tennessee Initiative to Increase Adult Student Success and Completion N ORTH C

Reviving PLA: A Tennessee Initiative to Increase Adult Student Success and Completion N ORTH C ENTRAL P-16 C OUNCIL JULY 20, 2012 Wilson Finch, Tennessee Higher Education Commission What is PLA? Prior Learning Assessment evaluating

149 views • 10 slides
2019 Community Action Project Zoie Chang Sarah Kamakawiwoole David Kim Community Partner:

2019 Community Action Project Zoie Chang Sarah Kamakawiwoole David Kim Community Partner:

2019 Community Action Project Zoie Chang Sarah Kamakawiwoole David Kim Community Partner: The 1882 Foundation 501(c)(3) non-profit organization Promotes the history, awareness, and continuing significance of the Chinese Exclusion

281 views • 13 slides
PLA Annual Conference Maria Navarro Her Majestys Inspector Offender Learning National Lead

PLA Annual Conference Maria Navarro Her Majestys Inspector Offender Learning National Lead

PLA Annual Conference Maria Navarro Her Majestys Inspector Offender Learning National Lead Milton Keynes 3 September 2019 Education inspection framework 2019: inspecting the substance of education Slide 2 Judgement areas: Behaviour and

408 views • 19 slides
LAGOS 2017 Delta-Wye Transformations and the Efficient Reduction of Almost-Planar Graphs Isidoro

LAGOS 2017 Delta-Wye Transformations and the Efficient Reduction of Almost-Planar Graphs Isidoro

Almost-planar graphs Deltawye reduction of almost-planar graph Almost-planar graphs on the projective plane Deltawye reduction with terminals of almost-planar graphs Future Research LAGOS 2017 Delta-Wye Transformations and the Efficient

1.3k views • 45 slides
Open Problems Workshop on Graph Drawing and Graph Algorithms 2013 Department of Computer Science

Open Problems Workshop on Graph Drawing and Graph Algorithms 2013 Department of Computer Science

Open Problems Workshop on Graph Drawing and Graph Algorithms 2013 Department of Computer Science and Engineering Bangladesh University of Engineering and Technology Coin-graph Recognition Q. What are the graphs that come up by touching coins?

103 views • 7 slides
2020/1 I 24 knot Friday Seminar Theory on Folklore ) Ic ( CL ) UCL L ) link E i

2020/1 I 24 knot Friday Seminar Theory on Folklore ) Ic ( CL ) UCL L ) link E i

Unknotting and numbers of spatial embeddings numbers Crossing planar of graph a Akimoto joint Yuta with work University ) Waseda ( Ta ( Waseda University ) Kou ki hiyama 2020/1 I 24 knot Friday Seminar Theory on

504 views • 27 slides
From skein theory to presentation for Thompson group Article in Journal of Algebra September

From skein theory to presentation for Thompson group Article in Journal of Algebra September

See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/308109828 From skein theory to presentation for Thompson group Article in Journal of Algebra September 2016 DOI:

409 views • 17 slides

More recommend