PDF Editor
PDF Converter
Image Converter
Video Converter
Audio Converter
File Compressor
secret management with hashicorp s vault

Secret Management with Hashicorp's Vault Daniel Bornkessel Secret - PowerPoint PPT Presentation

Mar 14, 2023 β€’6.35k likes β€’7.7k views

Secret Management with Hashicorp's Vault Daniel Bornkessel Secret Management with Hashicorp's Vault X Secret Management with Hashicorp's Vault Daniel Bornkessel Secret Management with Hashicorp's Vault Focus of this talk what is

  1. Secret Management with Hashicorp's Vault Vault secret backends β€” static secrets 1234- foo- bar 1 vault write secret/app1/api-key β”œβ”€β”€ aws β”‚ └── creds β”‚ β”œβ”€β”€ admin β”‚ └── developer β”œβ”€β”€ database β”‚ └── creds β”‚ β”œβ”€β”€ clients β”‚ └── contracts β”œβ”€β”€ pki β”‚ └── issue β”‚ └── example-com β”œβ”€β”€ secret β”‚ └── team β”‚ β”œβ”€β”€ app1 Vault β”‚ β”‚ └── api-keys β”‚ β”‚ β”œβ”€β”€ google-analytics β”‚ β”‚ └── paypal β”‚ └── app2 2 vault read secret/app1/api-key β”‚ └── foo β”œβ”€β”€ ssh β”‚ └── creds β”‚ β”œβ”€β”€ erika β”‚ └── erna └── transit β”œβ”€β”€ decrypt app1 β”‚ └── team-1-key └── encrypt └── team-1-key 3 1234- foo- bar Quelle / Max Mustermann οΏ½ X

  2. Secret Management with Hashicorp's Vault Vault secret backends β€” dynamic secrets οΏ½ 24

  3. Secret Management with Hashicorp's Vault Vault secret backends β€” dynamic secrets What they are β€’ on-the- f ly created credentials (hence dynamic) for each instance of an app / user who wants a secret β€’ usually short to medium long ttl β€’ fully audited Quelle / Max Mustermann οΏ½ 25

  4. Secret Management with Hashicorp's Vault Vault secret backends β€” dynamic secrets How they work (in a Nutshell) 1. provide Vault credentials for a user that has rights to create users or tokens in a remote system (e.g. db) 2. con f igure Vault with settings on how to create credentials 3. con f igure Vault with settings on how to invalidate credentials in the remote system Quelle / Max Mustermann οΏ½ 26

  5. Secret Management with Hashicorp's Vault Vault secret backends β€” Databases οΏ½ 27

  6. Secret Management with Hashicorp's Vault Vault secret backends β€” Databases β€’ Idea: get access to databases β€’ Vault gets con f igured with credentials for a database user that has necessary permissions on the database β€’ Vault gets a policy that maps users and roles to users with con f igured permissions in the database β€’ when user requests credentials, Vault creates a new database user on the f ly β€’ when con f igured (usually the case), all created users have a ttl assigned β€” when the ttl is reached, Vault deletes the user from the database Quelle / Max Mustermann οΏ½ X

  7. Secret Management with Hashicorp's Vault Vault secret backends β€” Databases db admin 0 config β”œβ”€β”€ aws β”‚ └── creds β”‚ β”œβ”€β”€ admin β”‚ └── developer β”œβ”€β”€ database β”‚ └── creds β”‚ β”œβ”€β”€ clients β”‚ └── contracts β”œβ”€β”€ pki β”‚ └── issue β”‚ └── example-com β”œβ”€β”€ secret β”‚ └── team β”‚ β”œβ”€β”€ app1 Vault β”‚ β”‚ └── api-keys β”‚ β”‚ β”œβ”€β”€ google-analytics β”‚ β”‚ └── paypal β”‚ └── app2 β”‚ └── foo β”œβ”€β”€ ssh β”‚ └── creds β”‚ β”œβ”€β”€ erika β”‚ └── erna └── transit β”œβ”€β”€ decrypt β”‚ └── team-1-key └── encrypt └── team-1-key Quelle / Max Mustermann οΏ½ 28

  8. Secret Management with Hashicorp's Vault Vault secret backends β€” Databases db admin vault secrets enable -path=db database 0 config β”œβ”€β”€ aws β”‚ └── creds vault write db/config/clients \ β”‚ β”œβ”€β”€ admin β”‚ └── developer plugin_name=mysql-database-plugin \ β”œβ”€β”€ database β”‚ └── creds connection_url=" admin:pw@tcp(db.example.com)/ " \ β”‚ β”œβ”€β”€ clients β”‚ └── contracts allowed_roles=β€œ clients-ro,clients-rw ” β”œβ”€β”€ pki β”‚ └── issue β”‚ └── example-com β”œβ”€β”€ secret vault write database/roles/ clients-ro \ β”‚ └── team β”‚ β”œβ”€β”€ app1 db_name=clients \ Vault β”‚ β”‚ └── api-keys β”‚ β”‚ β”œβ”€β”€ google-analytics creation_statements=β€œ\ β”‚ β”‚ └── paypal β”‚ └── app2 CREATE USER ' {{name}} '@'%' IDENTIFIED BY \ β”‚ └── foo β”œβ”€β”€ ssh ' {{password}} '; \ β”‚ └── creds β”‚ β”œβ”€β”€ erika GRANT SELECT ON clients.* TO ' {{name}} '@'%';" \ β”‚ └── erna └── transit default_ttl="1h" \ β”œβ”€β”€ decrypt β”‚ └── team-1-key max_ttl="240h" └── encrypt └── team-1-key Quelle / Max Mustermann οΏ½ 29

  9. Secret Management with Hashicorp's Vault Vault secret backends β€” Databases db admin vault secrets enable -path=db database 0 config β”œβ”€β”€ aws β”‚ └── creds vault write db/config/clients \ β”‚ β”œβ”€β”€ admin β”‚ └── developer plugin_name=mysql-database-plugin \ β”œβ”€β”€ database β”‚ └── creds connection_url="admin:pw@tcp(db.example.com)/" \ β”‚ β”œβ”€β”€ clients β”‚ └── contracts allowed_roles=β€œclients-ro, clients-rw” β”œβ”€β”€ pki β”‚ └── issue β”‚ └── example-com β”œβ”€β”€ secret vault write database/ roles / clients-ro \ β”‚ └── team β”‚ β”œβ”€β”€ app1 db_name=clients \ Vault β”‚ β”‚ └── api-keys β”‚ β”‚ β”œβ”€β”€ google-analytics creation_statements=β€œ\ β”‚ β”‚ └── paypal β”‚ └── app2 CREATE USER ' {{name}} '@'%' IDENTIFIED BY \ β”‚ └── foo β”œβ”€β”€ ssh ' {{password}} '; \ β”‚ └── creds β”‚ β”œβ”€β”€ erika GRANT SELECT ON clients.* TO ' {{name}} '@'%';" \ β”‚ └── erna └── transit default_ttl="1h" \ β”œβ”€β”€ decrypt β”‚ └── team-1-key max_ttl=β€œ240h" └── encrypt └── team-1-key Quelle / Max Mustermann οΏ½ 30

  10. Secret Management with Hashicorp's Vault Vault secret backends β€” Databases db admin 0 create user … config 2 β”œβ”€β”€ aws β”‚ └── creds β”‚ β”œβ”€β”€ admin β”‚ └── developer β”œβ”€β”€ database β”‚ └── creds β”‚ β”œβ”€β”€ clients β”‚ └── contracts β”œβ”€β”€ pki β”‚ └── issue con f igured ttl β”‚ └── example-com β”œβ”€β”€ secret β”‚ └── team 5 delete user … role β”‚ β”œβ”€β”€ app1 Vault β”‚ β”‚ └── api-keys β”‚ β”‚ β”œβ”€β”€ google-analytics } β”‚ β”‚ └── paypal read 1 β”‚ └── app2 β”‚ └── foo db /creds/clients-ro β”œβ”€β”€ ssh β”‚ └── creds β”‚ β”œβ”€β”€ erika β”‚ └── erna └── transit β”œβ”€β”€ decrypt App β”‚ └── team-1-key └── encrypt └── team-1-key OK 3 db login / 4 db password Quelle / Max Mustermann οΏ½ 31

  11. Secret Management with Hashicorp's Vault Vault secret backends β€” Databases Available Plugins: β€’ Cassandra β€’ HanaDB β€’ MongoDB β€’ MSSQL β€’ MySQL/MariaDB β€’ PostgreSQL β€’ Oracle Quelle / Max Mustermann οΏ½ 32

  12. Secret Management with Hashicorp's Vault Vault secret backends β€” Google Cloud οΏ½ X

  13. Secret Management with Hashicorp's Vault Vault secret backends β€” Google Cloud 0 credentials.json β”œβ”€β”€ aws de f ine rolesets to generate β”‚ └── creds β”‚ β”œβ”€β”€ admin β”‚ └── developer oauth2 access tokens (preferred) β”œβ”€β”€ database β”‚ └── creds …or service account β”‚ β”œβ”€β”€ clients β”‚ └── contracts or Service Accounts β”œβ”€β”€ pki β”‚ └── issue β”‚ └── example-com β”œβ”€β”€ secret β”‚ └── team β”‚ β”œβ”€β”€ app1 Vault β”‚ β”‚ └── api-keys β”‚ β”‚ β”œβ”€β”€ google-analytics β”‚ β”‚ └── paypal β”‚ └── app2 β”‚ └── foo β”œβ”€β”€ ssh β”‚ └── creds β”‚ β”œβ”€β”€ erika β”‚ └── erna └── transit β”œβ”€β”€ decrypt β”‚ └── team-1-key └── encrypt └── team-1-key Quelle / Max Mustermann οΏ½ X

  14. Secret Management with Hashicorp's Vault Vault secret backends β€” Google Cloud create token / 0 2 credentials.json β”œβ”€β”€ aws service account β”‚ └── creds β”‚ β”œβ”€β”€ admin β”‚ └── developer GCP β”œβ”€β”€ database β”‚ └── creds …or service account β”‚ β”œβ”€β”€ clients Api β”‚ └── contracts β”œβ”€β”€ pki β”‚ └── issue con f igured β”‚ └── example-com β”œβ”€β”€ secret β”‚ └── team β”‚ β”œβ”€β”€ app1 roleset Vault β”‚ β”‚ └── api-keys β”‚ β”‚ β”œβ”€β”€ google-analytics read β”‚ β”‚ └── paypal } 1 β”‚ └── app2 β”‚ └── foo gcp /token/dev β”œβ”€β”€ ssh β”‚ └── creds β”‚ β”œβ”€β”€ erika β”‚ └── erna └── transit β”œβ”€β”€ decrypt App β”‚ └── team-1-key └── encrypt └── team-1-key 4 oauth2 token/ oauth2 token / 3 service account service account ttl key key Quelle / Max Mustermann οΏ½ X

  15. Secret Management with Hashicorp's Vault Vault secret backends β€” AWS οΏ½ 33

  16. Secret Management with Hashicorp's Vault Vault secret backends β€” AWS β€’ Idea: get access to AWS resources β€’ Vault gets con f igured with an AWS user that has necessary permissions β€’ Vault gets a policy that maps users or roles to AWS roles β€’ when user requests credentials, Vault creates STS tokens, assume role tokens or dynamic IAM users β€’ when con f igured (usually the case), all created secrets have a ttl assigned Quelle / Max Mustermann οΏ½ X

  17. Secret Management with Hashicorp's Vault Vault secret backends β€” AWS aws_access_key 0 aws_secret_key β”œβ”€β”€ aws β”‚ └── creds β”‚ β”œβ”€β”€ admin β”‚ └── developer β”œβ”€β”€ database β”‚ └── creds β”‚ β”œβ”€β”€ clients β”‚ └── contracts β”œβ”€β”€ pki β”‚ └── issue β”‚ └── example-com β”œβ”€β”€ secret β”‚ └── team β”‚ β”œβ”€β”€ app1 Vault β”‚ β”‚ └── api-keys β”‚ β”‚ β”œβ”€β”€ google-analytics β”‚ β”‚ └── paypal β”‚ └── app2 β”‚ └── foo β”œβ”€β”€ ssh β”‚ └── creds β”‚ β”œβ”€β”€ erika β”‚ └── erna └── transit β”œβ”€β”€ decrypt β”‚ └── team-1-key └── encrypt └── team-1-key Quelle / Max Mustermann οΏ½ 34

  18. Secret Management with Hashicorp's Vault Vault secret backends β€” AWS aws_access_key create STS / 0 2 aws_secret_key β”œβ”€β”€ aws IAM user β”‚ └── creds β”‚ β”œβ”€β”€ admin β”‚ └── developer AWS β”œβ”€β”€ database β”‚ └── creds β”‚ β”œβ”€β”€ clients Api β”‚ └── contracts β”œβ”€β”€ pki β”‚ └── issue con f igured β”‚ └── example-com β”œβ”€β”€ secret β”‚ └── team β”‚ β”œβ”€β”€ app1 role Vault β”‚ β”‚ └── api-keys β”‚ β”‚ β”œβ”€β”€ google-analytics read β”‚ β”‚ └── paypal } 1 β”‚ └── app2 β”‚ └── foo aws /creds/dev β”œβ”€β”€ ssh β”‚ └── creds β”‚ β”œβ”€β”€ erika β”‚ └── erna └── transit β”œβ”€β”€ decrypt App β”‚ └── team-1-key └── encrypt └── team-1-key 4 TTL’ed Token / TTL’ed Token / 3 credentials credentials ttl Quelle / Max Mustermann οΏ½ 35

  19. Secret Management with Hashicorp's Vault Vault secret backends β€” PKI οΏ½ 36

  20. Secret Management with Hashicorp's Vault Vault secret backends β€” PKI β€’ Idea: issue client certi f icates on the f ly β€’ Vault gets con f igured a CA Certi f icate and a private key β€’ Vault gets a con f iguration about how certi f icates for this CA should be issues (ttl, subject, etc.) β€’ when user requests credentials, Vault issues a certi f icate on the f ly β€’ when con f igured (usually the case), all created certi f icates have a ttl assigned Quelle / Max Mustermann οΏ½ X

  21. Secret Management with Hashicorp's Vault Vault secret backends β€” PKI add ca.cert & 0 ca.key β”œβ”€β”€ aws β”‚ └── creds β”‚ β”œβ”€β”€ admin β”‚ └── developer β”œβ”€β”€ database β”‚ └── creds β”‚ β”œβ”€β”€ clients β”‚ └── contracts β”œβ”€β”€ pki β”‚ └── issue β”‚ └── example-com β”œβ”€β”€ secret β”‚ └── team β”‚ β”œβ”€β”€ app1 Vault β”‚ β”‚ └── api-keys β”‚ β”‚ β”œβ”€β”€ google-analytics β”‚ β”‚ └── paypal β”‚ └── app2 β”‚ └── foo β”œβ”€β”€ ssh β”‚ └── creds β”‚ β”œβ”€β”€ erika β”‚ └── erna └── transit β”œβ”€β”€ decrypt β”‚ └── team-1-key └── encrypt └── team-1-key Quelle / Max Mustermann οΏ½ 37

  22. Secret Management with Hashicorp's Vault Vault secret backends β€” PKI add ca.cert & 0 ca.key β”œβ”€β”€ aws create client β”‚ └── creds β”‚ β”œβ”€β”€ admin 2 β”‚ └── developer certificate β”œβ”€β”€ database β”‚ └── creds β”‚ β”œβ”€β”€ clients β”‚ └── contracts β”œβ”€β”€ pki β”‚ └── issue con f igured β”‚ └── example-com β”œβ”€β”€ secret β”‚ └── team β”‚ β”œβ”€β”€ app1 role Vault β”‚ β”‚ └── api-keys β”‚ β”‚ β”œβ”€β”€ google-analytics write β”‚ β”‚ └── paypal } 1 β”‚ └── app2 β”‚ └── foo pki /issue/dev β”œβ”€β”€ ssh β”‚ └── creds β”‚ β”œβ”€β”€ erika β”‚ └── erna └── transit β”œβ”€β”€ decrypt App β”‚ └── team-1-key └── encrypt └── team-1-key 3 TTL’ed client certificate Quelle / Max Mustermann οΏ½ 38

  23. Secret Management with Hashicorp's Vault Vault secret backends β€” SSH οΏ½ 39

  24. Secret Management with Hashicorp's Vault Vault dynamic secret backends β€” ssh One-Time SSH Passwords β€’ Idea: get ssh access to machines β€’ every host in the system has a small Vault-helper process running β€’ user fetches a one time password from Vault β€’ when authenticating via ssh, the Vault-helper checks, whether the one time password is valid and deletes it Quelle / Max Mustermann οΏ½ X

  25. Secret Management with Hashicorp's Vault Vault secret backends β€” SSH 1 vault write ssh/creds/dev ip=1.1.2.2 β”œβ”€β”€ aws β”‚ └── creds β”‚ β”œβ”€β”€ admin β”‚ └── developer username / otp β”œβ”€β”€ database 2 β”‚ └── creds β”‚ β”œβ”€β”€ clients β”‚ └── contracts β”œβ”€β”€ pki β”‚ └── issue β”‚ └── example-com β”œβ”€β”€ secret β”‚ └── team β”‚ β”œβ”€β”€ app1 Vault β”‚ β”‚ └── api-keys β”‚ β”‚ β”œβ”€β”€ google-analytics β”‚ β”‚ └── paypal β”‚ └── app2 β”‚ └── foo β”œβ”€β”€ ssh β”‚ └── creds β”‚ β”œβ”€β”€ erika β”‚ └── erna └── transit Host β”œβ”€β”€ decrypt β”‚ └── team-1-key └── encrypt └── team-1-key 1.1.2.2 3 ssh username@1.1.2.2 validate 4 otp grant access 5 Quelle / Max Mustermann οΏ½ 40

  26. Secret Management with Hashicorp's Vault Vault dynamic secret backends β€” ssh Signed SSH Certi f icates β€’ Idea: get ssh access to machines β€’ user con f igures Vault-ssh with a CA, a private and a public key β€’ the public key gets distributed to all system hosts β€’ the user asks Vault to sign one of his public ssh keys with the provided CA and gets a new, signed public key as a response β€’ the user can use this new, signed key to login to machines Quelle / Max Mustermann οΏ½ 41

  27. Secret Management with Hashicorp's Vault Vault dynamic secret backends β€” Transit οΏ½ 42

  28. Secret Management with Hashicorp's Vault Vault dynamic secret backends β€” Transit β€’ Idea: de- and encrypt data without handling private keys β€’ User creates a new transit path in Vault β€’ Users can encrypt data by writing the data to this transit path (e.g. transit/encrypt/my-keys/foo ) β€’ Users with suf f icient permissions can decrypt data by writing to the respective transit path (e.g. transit/decrypt/my-keys/foo ) β€’ the private key never leaves Vault β€’ the data is not stored on Vault (hence the name transit) Quelle / Max Mustermann οΏ½ X

  29. Secret Management with Hashicorp's Vault Vault secret backends β€” Transit foo 1 vault write transit/ en crypt/ app /app1 β”œβ”€β”€ aws β”‚ └── creds β”‚ β”œβ”€β”€ admin β”‚ └── developer 2 β”œβ”€β”€ database β”‚ └── creds β”‚ β”œβ”€β”€ clients Β―:çÆ β”‚ └── contracts β”œβ”€β”€ pki # Β² ^? β”‚ └── issue β”‚ └── example-com Γ‘V¬Î β”œβ”€β”€ secret β”‚ └── team β”‚ β”œβ”€β”€ app1 Vault β”‚ β”‚ └── api-keys Β―:çÆ β”‚ β”‚ β”œβ”€β”€ google-analytics β”‚ β”‚ └── paypal # Β² ^? β”‚ └── app2 3 vault write transit/ de crypt/ app /app1 β”‚ └── foo Γ‘V¬Î β”œβ”€β”€ ssh β”‚ └── creds β”‚ β”œβ”€β”€ erika β”‚ └── erna └── transit β”œβ”€β”€ decrypt App β”‚ └── team-1-key └── encrypt └── team-1-key 4 foo Quelle / Max Mustermann οΏ½ 43

  30. Secret Management with Hashicorp's Vault Vault secret backends β€’ β€’ AWS Tokens β€’ β€’ Consul β”œβ”€β”€ aws LDAP β”‚ └── creds β”‚ β”œβ”€β”€ admin β€’ β€’ Cubbyhole β”‚ └── developer AWS β”œβ”€β”€ database β”‚ └── creds β€’ β€’ Databases β”‚ β”œβ”€β”€ clients Kubernetes β”‚ └── contracts β”œβ”€β”€ pki β€’ β”‚ └── issue β€’ Identity β”‚ └── example-com Google Cloud β”œβ”€β”€ secret β”‚ └── team β€’ β€’ Static secrets (Key /Value) β”‚ β”œβ”€β”€ app1 Username & Password Vault β”‚ β”‚ └── api-keys β”‚ β”‚ β”œβ”€β”€ google-analytics β€’ β€’ Nomad β”‚ β”‚ └── paypal AppRole β”‚ └── app2 β”‚ └── foo β€’ β€’ PKI (Certi f icates) β”œβ”€β”€ ssh β”‚ └── creds GitHub β”‚ β”œβ”€β”€ erika β”‚ └── erna β€’ β€’ RabbitMQ └── transit MFA β”œβ”€β”€ decrypt β”‚ └── team-1-key β€’ β€’ SSH └── encrypt Okta └── team-1-key β€’ β€’ TOTP RADIUS β€’ β€’ Transit TLS Certi f icates Quelle / Max Mustermann οΏ½ 44

  31. Secret Management with Hashicorp's Vault Vault β€” auth backends οΏ½ 45

  32. Secret Management with Hashicorp's Vault Vault auth backends β€’ β€’ AWS Tokens β€’ β€’ Consul β”œβ”€β”€ aws LDAP β”‚ └── creds β”‚ β”œβ”€β”€ admin β€’ β€’ Cubbyhole β”‚ └── developer AWS β”œβ”€β”€ database β”‚ └── creds β€’ β€’ Databases β”‚ β”œβ”€β”€ clients β”‚ └── contracts Kubernetes β”œβ”€β”€ pki β€’ β”‚ └── issue β€’ Identity β”‚ └── example-com Google Cloud β”œβ”€β”€ secret β”‚ └── team β€’ β€’ Static secrets (Key /Value) β”‚ β”œβ”€β”€ app1 Username & Password Vault β”‚ β”‚ └── api-keys β”‚ β”‚ β”œβ”€β”€ google-analytics β€’ β€’ Nomad β”‚ β”‚ └── paypal AppRole β”‚ └── app2 β”‚ └── foo β€’ β€’ PKI (Certi f icates) β”œβ”€β”€ ssh β”‚ └── creds GitHub β”‚ β”œβ”€β”€ erika β”‚ └── erna β€’ β€’ RabbitMQ └── transit MFA β”œβ”€β”€ decrypt β”‚ └── team-1-key β€’ β€’ SSH └── encrypt Okta └── team-1-key β€’ β€’ TOTP RADIUS β€’ β€’ Transit TLS Certi f icates Quelle / Max Mustermann οΏ½ 46

  33. Secret Management with Hashicorp's Vault Vault auth backends β€” tokens οΏ½ 47

  34. Secret Management with Hashicorp's Vault token auth β€’ created by Vault β€’ only way to authorize (auth-z) against Vault β€’ returned when authenticated (auth-n) successfully β€’ comparable to a session-id on a website β€’ has permissions / policies assigned to it Quelle / Max Mustermann οΏ½ 48

  35. Secret Management with Hashicorp's Vault token auth $ vault token create -ttl=5m -policy=admin Key Value --- ----- token d9640590-63c8-b3a6-50ac-1403c8180948 token_accessor 5a362982-f34c-3706-143a-26ada278b6cf token_duration 5m token_renewable true token_policies [admin default] Quelle / Max Mustermann οΏ½ 49

  36. Secret Management with Hashicorp's Vault Vault auth backends β€” userpass οΏ½ X

  37. Secret Management with Hashicorp's Vault userpass auth β€’ statically created by users and stored in Vault $ vault auth enable userpass $ vault write auth/userpass/users/kesselborn \ password=foo policies=admin $ vault login -method=userpass username=kesselborn Key Value --- ----- token d9640590-63c8-b3a6-50ac-1403c8180948 . . . token_duration 5m token_policies [admin default] Quelle / Max Mustermann οΏ½ X

  38. Secret Management with Hashicorp's Vault Vault auth backends β€” userpass β€’ setup username / password β”œβ”€β”€ aws β”‚ └── creds β”‚ β”œβ”€β”€ admin β”‚ └── developer β”œβ”€β”€ database β”‚ └── creds pass β”‚ β”œβ”€β”€ clients word β”‚ └── contracts β”œβ”€β”€ pki 1 123 β”‚ └── issue vault write /auth/userpass/users/foo β”‚ └── example-com β”œβ”€β”€ secret β”‚ └── team β”‚ β”œβ”€β”€ app1 Vault β”‚ β”‚ └── api-keys β”‚ β”‚ β”œβ”€β”€ google-analytics β”‚ β”‚ └── paypal β”‚ └── app2 β”‚ └── foo β”œβ”€β”€ ssh β”‚ └── creds β”‚ β”œβ”€β”€ erika β”‚ └── erna └── transit β”œβ”€β”€ decrypt β”‚ └── team-1-key └── encrypt └── team-1-key Quelle / Max Mustermann οΏ½ X

  39. Secret Management with Hashicorp's Vault Vault auth backends β€” userpass β€’ authenticate with a username & password β”œβ”€β”€ aws β”‚ └── creds β”‚ β”œβ”€β”€ admin β”‚ └── developer β”œβ”€β”€ database β”‚ └── creds β”‚ β”œβ”€β”€ clients β”‚ └── contracts β”œβ”€β”€ pki 1 foo / password123 β”‚ └── issue β”‚ └── example-com β”œβ”€β”€ secret β”‚ └── team β”‚ β”œβ”€β”€ app1 Vault β”‚ β”‚ └── api-keys β”‚ β”‚ β”œβ”€β”€ google-analytics β”‚ β”‚ └── paypal β”‚ └── app2 β”‚ └── foo β”œβ”€β”€ ssh β”‚ └── creds β”‚ β”œβ”€β”€ erika β”‚ └── erna └── transit β”œβ”€β”€ decrypt β”‚ └── team-1-key └── encrypt token 2 └── team-1-key policies Quelle / Max Mustermann οΏ½ X

  40. Secret Management with Hashicorp's Vault Vault auth backends β€” TLS certi f icates οΏ½ X

  41. Secret Management with Hashicorp's Vault Vault auth backends β€” TLS certi f icates β€’ setup TLS certi f icate authentication β”œβ”€β”€ aws β”‚ └── creds β”‚ β”œβ”€β”€ admin β”‚ └── developer vault write auth/cert/certs/web \ β”œβ”€β”€ database β”‚ └── creds … β”‚ β”œβ”€β”€ clients β”‚ └── contracts β”œβ”€β”€ pki certificate=@web-cert.pem 1 β”‚ └── issue β”‚ └── example-com β”œβ”€β”€ secret β”‚ └── team β”‚ β”œβ”€β”€ app1 Vault β”‚ β”‚ └── api-keys β”‚ β”‚ β”œβ”€β”€ google-analytics β”‚ β”‚ └── paypal β”‚ └── app2 β”‚ └── foo β”œβ”€β”€ ssh β”‚ └── creds β”‚ β”œβ”€β”€ erika β”‚ └── erna └── transit β”œβ”€β”€ decrypt β”‚ └── team-1-key └── encrypt └── team-1-key Quelle / Max Mustermann οΏ½ X

  42. Secret Management with Hashicorp's Vault Vault auth backends β€” TLS certi f icates β€’ authenticate with a TLS client certi f icate β”œβ”€β”€ aws β”‚ └── creds β”‚ β”œβ”€β”€ admin β”‚ └── developer β”œβ”€β”€ database β”‚ └── creds β”‚ β”œβ”€β”€ clients β”‚ └── contracts β”œβ”€β”€ pki 1 β”‚ └── issue client certificate β”‚ └── example-com β”œβ”€β”€ secret β”‚ └── team β”‚ β”œβ”€β”€ app1 Vault β”‚ β”‚ └── api-keys β”‚ β”‚ β”œβ”€β”€ google-analytics β”‚ β”‚ └── paypal β”‚ └── app2 β”‚ └── foo β”œβ”€β”€ ssh β”‚ └── creds β”‚ β”œβ”€β”€ erika β”‚ └── erna └── transit β”œβ”€β”€ decrypt β”‚ └── team-1-key └── encrypt token 2 └── team-1-key policies Quelle / Max Mustermann οΏ½ X

  43. Secret Management with Hashicorp's Vault Vault auth backends β€” external identity providers οΏ½ 50

  44. Secret Management with Hashicorp's Vault Vault auth backends β€” LDAP / Radius / Okta auth β€’ $SERVICE is used as an identity provider (using LDAP here) username/ username/ 1 2 password password β”œβ”€β”€ aws β”‚ └── creds β”‚ β”œβ”€β”€ admin β”‚ └── developer LDAP β”œβ”€β”€ database β”‚ └── creds β”‚ β”œβ”€β”€ clients β”‚ └── contracts β”œβ”€β”€ pki β”‚ └── issue β”‚ └── example-com β”œβ”€β”€ secret β”‚ └── team β”‚ β”œβ”€β”€ app1 Vault β”‚ β”‚ └── api-keys β”‚ β”‚ β”œβ”€β”€ google-analytics β”‚ β”‚ └── paypal β”‚ └── app2 β”‚ └── foo β”œβ”€β”€ ssh β”‚ └── creds β”‚ β”œβ”€β”€ erika β”‚ └── erna └── transit β”œβ”€β”€ decrypt β”‚ └── team-1-key └── encrypt user: kesselborn └── team-1-key token token 4 5 3 groups: admin, employee policies policies Quelle / Max Mustermann οΏ½ 51

  45. Secret Management with Hashicorp's Vault LDAP auth $ vault write auth/ldap/config \ url="ldaps://ldap.example.com" \ userattr="uid" \ userdn="ou=People,dc=innoq,dc=com" \ binddn="cn=vaultuser,dc=example,dc=com" \ bindpass="3cK{hrh7hi/Hj" \ groupdn="ou=Group,dc=example,dc=com" \ starttls=true $ vault write auth/ldap/groups/employee policies=employee $ vault write auth/ldap/users/kesselborn policies=admin Quelle / Max Mustermann οΏ½ X

  46. Secret Management with Hashicorp's Vault Github auth β€’ Github is used as an identity provider token token 1 2 β”œβ”€β”€ aws β”‚ └── creds β”‚ β”œβ”€β”€ admin β”‚ └── developer Github β”œβ”€β”€ database β”‚ └── creds β”‚ β”œβ”€β”€ clients β”‚ └── contracts β”œβ”€β”€ pki β”‚ └── issue β”‚ └── example-com β”œβ”€β”€ secret β”‚ └── team β”‚ β”œβ”€β”€ app1 Vault β”‚ β”‚ └── api-keys β”‚ β”‚ β”œβ”€β”€ google-analytics β”‚ β”‚ └── paypal β”‚ └── app2 β”‚ └── foo β”œβ”€β”€ ssh β”‚ └── creds β”‚ β”œβ”€β”€ erika β”‚ └── erna └── transit β”œβ”€β”€ decrypt β”‚ └── team-1-key └── encrypt user: kesselborn └── team-1-key token 4 3 teams: kesselfaktur, innnoq policies Quelle / Max Mustermann οΏ½ 52

  47. Secret Management with Hashicorp's Vault Vault auth backends β€” Kubernetes auth οΏ½ 53

  48. Secret Management with Hashicorp's Vault Vault auth backends β€” Kubernetes auth 2 auth against K8s K8s token k8s API 1 β”œβ”€β”€ aws β”‚ └── creds β”‚ β”œβ”€β”€ admin K8s container β”‚ └── developer β”œβ”€β”€ database /var β”‚ └── creds API └─ run β”‚ β”œβ”€β”€ clients └─ secrets β”‚ └── contracts └─ kubernetes.io β”œβ”€β”€ pki └─ serviceaccount β”‚ └── issue └─ token β”‚ └── example-com β”œβ”€β”€ secret β”‚ └── team β”‚ β”œβ”€β”€ app1 Vault β”‚ β”‚ └── api-keys β”‚ β”‚ β”œβ”€β”€ google-analytics β”‚ β”‚ └── paypal β”‚ └── app2 β”‚ └── foo β”œβ”€β”€ ssh β”‚ └── creds β”‚ β”œβ”€β”€ erika β”‚ └── erna └── transit β”œβ”€β”€ decrypt β”‚ └── team-1-key └── encrypt └── team-1-key service_account_name: app1 token token 5 4 3 service_account_namespace: default policies policies Quelle / Max Mustermann οΏ½ 54

  49. Secret Management with Hashicorp's Vault Vault auth backends β€” Kubernetes auth 2 auth against K8s K8s token k8s API 1 β”œβ”€β”€ aws β”‚ └── creds β”‚ β”œβ”€β”€ admin K8s container β”‚ └── developer app init β”œβ”€β”€ database β”‚ └── creds API β”‚ β”œβ”€β”€ clients β”‚ └── contracts β”œβ”€β”€ pki β”‚ └── issue β”‚ └── example-com Pod β”œβ”€β”€ secret β”‚ └── team β”‚ β”œβ”€β”€ app1 Vault β”‚ β”‚ └── api-keys β”‚ β”‚ β”œβ”€β”€ google-analytics β”‚ β”‚ └── paypal β”‚ └── app2 β”‚ └── foo token 4 policies β”œβ”€β”€ ssh β”‚ └── creds β”‚ β”œβ”€β”€ erika β”‚ └── erna └── transit β”œβ”€β”€ decrypt β”‚ └── team-1-key └── encrypt success / └── team-1-key 3 failure token 5 policies Quelle / Max Mustermann οΏ½ 55

  50. Secret Management with Hashicorp's Vault Vault auth backends β€” Kubernetes auth $ vault auth enable kubernetes $ vault write auth/kubernetes/config \ kubernetes_host=β€œhttps://api.k8s.example.com" \ kubernetes_ca_cert=β€œ@ca.crt" $ vault write auth/kubernetes/role/demo \ bound_service_account_names=vault-auth \ bound_service_account_namespaces=default \ policies=default \ ttl=1h Quelle / Max Mustermann οΏ½ X

  51. Secret Management with Hashicorp's Vault Vault auth backends β€” GCE auth >> οΏ½ X

  52. Secret Management with Hashicorp's Vault Vault auth backends β€” GCE auth signed 4 verify JWT signature JWT 3 β”œβ”€β”€ aws using kid value β”‚ └── creds β”‚ β”œβ”€β”€ admin OAuth2 GCE β”‚ └── developer β”œβ”€β”€ database β”‚ └── creds API Instance against Google β”‚ β”œβ”€β”€ clients β”‚ └── contracts β”œβ”€β”€ pki public certi f icates β”‚ └── issue β”‚ └── example-com β”œβ”€β”€ secret β”‚ └── team β”‚ β”œβ”€β”€ app1 signed Vault β”‚ β”‚ └── api-keys 2 1 β”‚ β”‚ β”œβ”€β”€ google-analytics β”‚ β”‚ └── paypal JWT: β”‚ └── app2 β”‚ └── foo JWT { β”œβ”€β”€ ssh β”‚ └── creds "project_id": β€œβ€¦β€, β”‚ β”œβ”€β”€ erika β”‚ └── erna meta "project_number": …, └── transit β”œβ”€β”€ decrypt "zone": β€œβ€¦β€, β”‚ └── team-1-key data └── encrypt "instance_id": …, └── team-1-key 5 token token 6 server "instance_name": β€œβ€¦β€ "instance_creation_timestamp": … policies policies } curl -H "Metadata-Flavor: Google" \ 'http://metadata/computeMetadata/v1/instance/service-accounts/default/identity?audience=[AUDIENCE]&format=[FORMAT]'

  53. Secret Management with Hashicorp's Vault Vault auth backends β€” AWS auth >> οΏ½ 56

  54. Secret Management with Hashicorp's Vault Vault auth backends β€” AWS auth β€’ Vault checks passed in data was encrypted with a AWS private key β€’ can be limited to instances which have a speci f ic instance role applied β€’ can be limited (and usually is) to allow one authentication per ec2 instance only β€’ after authentication, roles and policies are mapped as usual Quelle / Max Mustermann οΏ½ X

  55. Secret Management with Hashicorp's Vault Vault auth backends β€” AWS auth verify PKCS#7 signature against AWS public keys 4 verify AWS 5 Instance instance Identity Document 3 PKCS#7 β”œβ”€β”€ aws β”‚ └── creds β”‚ β”œβ”€β”€ admin EC2 EC2 β”‚ └── developer β”œβ”€β”€ database β”‚ └── creds API Instance β”‚ β”œβ”€β”€ clients β”‚ └── contracts β”œβ”€β”€ pki β”‚ └── issue β”‚ └── example-com β”œβ”€β”€ secret β”‚ └── team AWS 6 instance_id: i-a832f734 β”‚ β”œβ”€β”€ app1 Instance Vault β”‚ β”‚ └── api-keys 2 1 β”‚ β”‚ β”œβ”€β”€ google-analytics Identity ami_id: ami-f083709d β”‚ β”‚ └── paypal Document β”‚ └── app2 β”‚ └── foo … β”œβ”€β”€ ssh PKCS#7 β”‚ └── creds β”‚ β”œβ”€β”€ erika β”‚ └── erna EC2 └── transit β”œβ”€β”€ decrypt β”‚ └── team-1-key (optionally) set instance on MetaData 8 └── encrypt └── team-1-key blacklist to avoid 7 token token 9 Services double authentication policies policies curl -s http://169.254.169.254/latest/dynamic/instance-identity/pkcs7

  56. Secret Management with Hashicorp's Vault Vault auth backends β€” AWS auth $ vault write auth/aws/role/dev-role \ auth_type=ec2 \ bound_ami_id=ami-fce3c696 \ policies=prod,dev max_ttl=500h $ vault write auth/aws/role/dev-role-iam \ auth_type=iam \ bound_ iam_instance_profile_arn =… \ policies=prod,dev max_ttl=500h Quelle / Max Mustermann οΏ½ X

  57. Secret Management with Hashicorp's Vault Vault auth backends β€” AWS auth β€’ alternatively: IAM auth method β€’ client signs a GetCallerIdentity query using the AWS Signature v4 algorithm and submits 4 pieces of information to the Vault server to recreate a valid signed request β€’ https:/ /www.vaultproject.io/docs/auth/aws.html#iam-auth- method Quelle / Max Mustermann οΏ½ 58

  58. Secret Management with Hashicorp's Vault Vault auth backends β€” AppRole >> οΏ½ 59

  59. Secret Management with Hashicorp's Vault Vault auth backends β€” AppRole β€’ a generic approach to authenticate machines or applications β€’ an AppRole can be created for a particular machine, a particular user on that machine, or a service spread across machines β€’ for authenticating, two values are needed β€’ RoleID: static, can live with an app or on a machine) β€’ SecretID: gets created on the f ly before authenticating Quelle / Max Mustermann οΏ½ X

  60. Secret Management with Hashicorp's Vault Vault auth backends β€” AppRole β€’ mainly used for machines or apps to authenticate against Vault request SecretID 1 Some β”œβ”€β”€ aws β”‚ └── creds β”‚ β”œβ”€β”€ admin process 2 SecretID β”‚ └── developer β”œβ”€β”€ database (puppet, chef, β”‚ └── creds β”‚ β”œβ”€β”€ clients etc.) β”‚ └── contracts β”œβ”€β”€ pki β”‚ └── issue β”‚ └── example-com β”œβ”€β”€ secret β”‚ └── team β”‚ β”œβ”€β”€ app1 RoleID + Vault β”‚ β”‚ └── api-keys β”‚ β”‚ β”œβ”€β”€ google-analytics 4 β”‚ β”‚ └── paypal SecretID β”‚ └── app2 β”‚ └── foo β”œβ”€β”€ ssh 3 SecretID β”‚ └── creds App β”‚ β”œβ”€β”€ erika β”‚ └── erna └── transit β”œβ”€β”€ decrypt β”‚ └── team-1-key └── encrypt RoleID └── team-1-key token 5 policies Quelle / Max Mustermann οΏ½ X

  61. Secret Management with Hashicorp's Vault Vault auth backends β€” AppRole β€’ mainly used for machines or apps to authenticate against Vault request SecretID 1 Some β”œβ”€β”€ aws β”‚ └── creds β”‚ β”œβ”€β”€ admin process 2 wrapped SecretID β”‚ └── developer β”œβ”€β”€ database (K8s side car, β”‚ └── creds β”‚ β”œβ”€β”€ clients chef, etc.) β”‚ └── contracts β”œβ”€β”€ pki β”‚ └── issue β”‚ └── example-com β”œβ”€β”€ secret β”‚ └── team β”‚ β”œβ”€β”€ app1 unwrap Vault β”‚ β”‚ └── api-keys 4 β”‚ β”‚ β”œβ”€β”€ google-analytics SecretID β”‚ β”‚ └── paypal β”‚ └── app2 wrapped β”‚ └── foo β”œβ”€β”€ ssh 3 β”‚ └── creds SecretID 5 SecretID App β”‚ β”œβ”€β”€ erika β”‚ └── erna └── transit β”œβ”€β”€ decrypt 6 β”‚ └── team-1-key RoleID + SecretId └── encrypt RoleID └── team-1-key token policies 7 Quelle / Max Mustermann οΏ½ X

  62. Secret Management with Hashicorp's Vault Vault auth backends β€’ β€’ AWS Tokens β€’ β€’ Consul β”œβ”€β”€ aws LDAP β”‚ └── creds β”‚ β”œβ”€β”€ admin β€’ β€’ Cubbyhole β”‚ └── developer AWS β”œβ”€β”€ database β”‚ └── creds β€’ β€’ Databases β”‚ β”œβ”€β”€ clients β”‚ └── contracts Kubernetes β”œβ”€β”€ pki β€’ β”‚ └── issue β€’ Identity β”‚ └── example-com Google Cloud β”œβ”€β”€ secret β”‚ └── team β€’ β€’ Static secrets (Key /Value) β”‚ β”œβ”€β”€ app1 Username & Password Vault β”‚ β”‚ └── api-keys β”‚ β”‚ β”œβ”€β”€ google-analytics β€’ β€’ Nomad β”‚ β”‚ └── paypal β”‚ └── app2 AppRole β”‚ └── foo β€’ β€’ PKI (Certi f icates) β”œβ”€β”€ ssh β”‚ └── creds GitHub β”‚ β”œβ”€β”€ erika β”‚ └── erna β€’ β€’ RabbitMQ └── transit MFA β”œβ”€β”€ decrypt β”‚ └── team-1-key β€’ β€’ SSH └── encrypt Okta └── team-1-key β€’ β€’ TOTP RADIUS β€’ β€’ Transit TLS Certi f icates Quelle / Max Mustermann οΏ½ X

  63. Secret Management with Hashicorp's Vault Use whatever the auth you want οΏ½ 60

  64. Secret Management with Hashicorp's Vault Vault β€’ β€’ AWS Tokens β€’ β€’ Consul β”œβ”€β”€ aws LDAP β”‚ └── creds β”‚ β”œβ”€β”€ admin β€’ β€’ Cubbyhole β”‚ └── developer AWS β”œβ”€β”€ database β”‚ └── creds β€’ β€’ Databases β”‚ β”œβ”€β”€ clients Kubernetes β”‚ └── contracts β”œβ”€β”€ pki β€’ β”‚ └── issue β€’ Identity β”‚ └── example-com Google Cloud β”œβ”€β”€ secret β”‚ └── team β€’ β€’ Static secrets (Key /Value) β”‚ β”œβ”€β”€ app1 Username & Password Vault β”‚ β”‚ └── api-keys β”‚ β”‚ β”œβ”€β”€ google-analytics β€’ β€’ Nomad β”‚ β”‚ └── paypal AppRole β”‚ └── app2 β”‚ └── foo β€’ β€’ PKI -> Kubernetes access β”œβ”€β”€ ssh β”‚ └── creds GitHub β”‚ β”œβ”€β”€ erika β”‚ └── erna β€’ β€’ RabbitMQ └── transit MFA β”œβ”€β”€ decrypt β”‚ └── team-1-key β€’ β€’ SSH └── encrypt Okta └── team-1-key β€’ β€’ TOTP RADIUS β€’ β€’ Transit TLS Certi f icates Quelle / Max Mustermann οΏ½ 61

  65. Secret Management with Hashicorp's Vault Vault β€’ β€’ AWS Tokens β€’ β€’ Consul β”œβ”€β”€ aws LDAP β”‚ └── creds β”‚ β”œβ”€β”€ admin β€’ β€’ Cubbyhole β”‚ └── developer AWS β”œβ”€β”€ database β”‚ └── creds β€’ β€’ Databases β”‚ β”œβ”€β”€ clients β”‚ └── contracts Kubernetes β”œβ”€β”€ pki β€’ β”‚ └── issue β€’ Identity β”‚ └── example-com Google Cloud β”œβ”€β”€ secret β”‚ └── team β€’ β€’ Static secrets (Key /Value) β”‚ β”œβ”€β”€ app1 Username & Password Vault β”‚ β”‚ └── api-keys β”‚ β”‚ β”œβ”€β”€ google-analytics β€’ β€’ Nomad β”‚ β”‚ └── paypal AppRole β”‚ └── app2 β”‚ └── foo β€’ β€’ PKI (Certi f icates) β”œβ”€β”€ ssh β”‚ └── creds GitHub β”‚ β”œβ”€β”€ erika β”‚ └── erna β€’ β€’ RabbitMQ └── transit MFA β”œβ”€β”€ decrypt β”‚ └── team-1-key β€’ β€’ SSH └── encrypt Okta └── team-1-key β€’ β€’ TOTP RADIUS β€’ β€’ Transit TLS Certi f icates Quelle / Max Mustermann οΏ½ 62

  66. Secret Management with Hashicorp's Vault Vault β€” policies οΏ½ 63

  67. Secret Management with Hashicorp's Vault β”œβ”€β”€ aws β”‚ └── creds β”‚ β”œβ”€β”€ admin Vault β€” secret β”‚ └── developer β”œβ”€β”€ database representation β”‚ └── creds β”‚ β”œβ”€β”€ clients β”‚ └── contracts β”œβ”€β”€ pki β€’ β€’ AWS β”‚ └── issue Tokens β€’ β”‚ └── example-com β€’ Consul β”œβ”€β”€ aws LDAP β”‚ └── creds β”œβ”€β”€ secret β”‚ β”œβ”€β”€ admin β€’ β€’ Cubbyhole β”‚ └── developer AWS β”œβ”€β”€ database β”‚ └── team β”‚ └── creds β€’ β€’ Databases β”‚ β”œβ”€β”€ clients β”‚ β”œβ”€β”€ app1 Kubernetes β”‚ └── contracts β”œβ”€β”€ pki Vault β”‚ β”‚ └── api-keys β€’ β”‚ └── issue β€’ Identity β”‚ └── example-com Google Cloud β”œβ”€β”€ secret β”‚ β”‚ β”œβ”€β”€ google-analytics β”‚ └── team β€’ β€’ Static secrets (Key /Value) β”‚ β”œβ”€β”€ app1 Username & Password β”‚ β”‚ └── paypal Vault β”‚ β”‚ └── api-keys β”‚ β”‚ β”œβ”€β”€ google-analytics β€’ β€’ Nomad β”‚ β”‚ └── paypal β”‚ └── app2 AppRole β”‚ └── app2 β”‚ └── foo β”‚ └── foo β€’ β€’ PKI (Certi f icates) β”œβ”€β”€ ssh β”‚ └── creds GitHub β”œβ”€β”€ ssh β”‚ β”œβ”€β”€ erika β”‚ └── erna β€’ β€’ RabbitMQ └── transit β”‚ └── creds MFA β”œβ”€β”€ decrypt β”‚ └── team-1-key β€’ β€’ SSH β”‚ β”œβ”€β”€ erika └── encrypt Okta └── team-1-key β”‚ └── erna β€’ β€’ TOTP RADIUS └── transit β€’ β€’ Transit β”œβ”€β”€ decrypt TLS Certi f icates β”‚ └── team-1-key └── encrypt └── team-1-key Quelle / Max Mustermann οΏ½ 64

  68. Secret Management with Hashicorp's Vault β”œβ”€β”€ aws β”œβ”€β”€ aws β”‚ └── creds β”‚ β”œβ”€β”€ admin β”‚ └── developer β”‚ └── creds β”œβ”€β”€ database β”‚ └── creds β”‚ β”œβ”€β”€ admin β”‚ β”œβ”€β”€ clients Vault β€” secret β”‚ └── contracts β”œβ”€β”€ pki β”‚ └── developer β”‚ └── issue β”‚ └── example-com β”œβ”€β”€ database β”œβ”€β”€ secret β”‚ └── team representation β”‚ └── creds β”‚ β”œβ”€β”€ app1 Vault β”‚ β”‚ └── api-keys β”‚ β”‚ β”œβ”€β”€ google-analytics β”‚ β”œβ”€β”€ clients-ro β”‚ β”‚ └── paypal β”‚ └── app2 β”‚ └── clients-rw β”‚ └── foo β”œβ”€β”€ ssh β”‚ └── creds β”œβ”€β”€ pki β”‚ β”œβ”€β”€ erika β”‚ └── erna β”‚ └── issue └── transit β”œβ”€β”€ decrypt β”‚ └── broker β”‚ └── team-1-key └── encrypt └── team-1-key β”œβ”€β”€ secret β”‚ └── team β”‚ β”œβ”€β”€ app1 Vault β”‚ β”‚ └── api-keys β”‚ β”‚ β”œβ”€β”€ google-analytics β”‚ β”‚ └── paypal β”‚ └── app2 β”‚ └── foo β”œβ”€β”€ ssh β”‚ └── creds β”‚ β”œβ”€β”€ developers β”‚ └── admins └── transit β”œβ”€β”€ decrypt β”‚ └── team-1-key └── encrypt └── team-1-key Quelle / Max Mustermann οΏ½ 65

  69. Secret Management with Hashicorp's Vault β”œβ”€β”€ aws β”œβ”€β”€ aws β”‚ └── creds β”‚ β”œβ”€β”€ admin β”‚ └── developer β”‚ └── creds β”œβ”€β”€ database β”‚ └── creds β”‚ β”œβ”€β”€ admin β”‚ β”œβ”€β”€ clients Vault β€” policies β”‚ └── contracts β”œβ”€β”€ pki β”‚ └── developer β”‚ └── issue β”‚ └── example-com β”œβ”€β”€ database β”œβ”€β”€ secret β”‚ └── team β€’ applied to β€œ f iles” or β”‚ └── creds β”‚ β”œβ”€β”€ app1 Vault β”‚ β”‚ └── api-keys β”‚ β”‚ β”œβ”€β”€ google-analytics β”‚ β”œβ”€β”€ clients-ro β”‚ β”‚ └── paypal β”‚ └── app2 β”‚ └── clients-rw β”‚ └── foo β”œβ”€β”€ ssh β€œdirectories” β”‚ └── creds β”œβ”€β”€ pki β”‚ β”œβ”€β”€ erika β”‚ └── erna β”‚ └── issue └── transit β€’ support f ilesystem β”œβ”€β”€ decrypt β”‚ └── broker β”‚ └── team-1-key └── encrypt └── team-1-key β”œβ”€β”€ secret β”‚ └── team wildcards β”‚ β”œβ”€β”€ app1 Vault β”‚ β”‚ └── api-keys β€’ control what a user can β”‚ β”‚ β”œβ”€β”€ google-analytics β”‚ β”‚ └── paypal access β”‚ └── app2 β”‚ └── foo β€’ get assigned after β”œβ”€β”€ ssh β”‚ └── creds β”‚ β”œβ”€β”€ developers authentication β”‚ └── admins └── transit β€’ policies of a token can’t β”œβ”€β”€ decrypt β”‚ └── team-1-key └── encrypt be changed └── team-1-key Quelle / Max Mustermann οΏ½ 66

  70. Secret Management with Hashicorp's Vault β”œβ”€β”€ aws β”œβ”€β”€ aws β”‚ └── creds β”‚ β”œβ”€β”€ admin β”‚ └── developer β”‚ └── creds β”œβ”€β”€ database β”‚ └── creds β”‚ β”œβ”€β”€ admin β”‚ β”œβ”€β”€ clients Vault β€” policies β”‚ └── contracts β”œβ”€β”€ pki β”‚ └── developer β”‚ └── issue β”‚ └── example-com β”œβ”€β”€ database β”œβ”€β”€ secret β”‚ └── team β”‚ └── creds β”‚ β”œβ”€β”€ app1 Vault β”‚ β”‚ └── api-keys β”‚ β”‚ β”œβ”€β”€ google-analytics β”‚ β”œβ”€β”€ clients-ro β”‚ β”‚ └── paypal β€’ create c β”‚ └── app2 β”‚ └── clients-ro β”‚ └── foo β”œβ”€β”€ ssh β”‚ └── creds β”œβ”€β”€ pki β”‚ β”œβ”€β”€ erika β”‚ └── erna β”‚ └── issue β€’ read └── transit r β”œβ”€β”€ decrypt β”‚ └── broker β”‚ └── team-1-key └── encrypt └── team-1-key β”œβ”€β”€ secret β€’ update β”‚ └── team u β”‚ β”œβ”€β”€ app1 Vault β”‚ β”‚ └── api-keys β€’ delete d β”‚ β”‚ β”œβ”€β”€ google-analytics β”‚ β”‚ └── paypal β”‚ └── app2 β€’ list l β”‚ └── foo β”œβ”€β”€ ssh β”‚ └── creds β€’ deny d β”‚ β”œβ”€β”€ developers β”‚ └── admins └── transit β”œβ”€β”€ decrypt β”‚ └── team-1-key β€’ sudo └── encrypt s └── team-1-key Quelle / Max Mustermann οΏ½ 67

Recommend

Nomad HASHICORP Armon Dadgar @armon HASHICORP HASHICORP Cluster Manager Scheduler Nomad

Nomad HASHICORP Armon Dadgar @armon HASHICORP HASHICORP Cluster Manager Scheduler Nomad

Nomad HASHICORP Armon Dadgar @armon HASHICORP HASHICORP Cluster Manager Scheduler Nomad HASHICORP Cluster Manager Scheduler Nomad HASHICORP Schedulers map a set of work to a set of resources HASHICORP Work (Input) Resources Web

2.39k views β€’ 74 slides
Vault Provider The Vault provider allows Terraform to read from, write to, and congure

Vault Provider The Vault provider allows Terraform to read from, write to, and congure

Vault Provider The Vault provider allows Terraform to read from, write to, and congure Hashicorp Vault (https://vaultproject.io/). Important Interacting with Vault from Terraform causes any secrets that you read and write to be persisted in both

1.82k views β€’ 159 slides
Be secret like a ninja with Mehdi LARUELLE Hashicorp Vault @D2SI Whoami ? D2SI Me Mehdi

Be secret like a ninja with Mehdi LARUELLE Hashicorp Vault @D2SI Whoami ? D2SI Me Mehdi

Be secret like a ninja with Mehdi LARUELLE Hashicorp Vault @D2SI Whoami ? D2SI Me Mehdi LARUELLE Cloud & Automation @mehdilaruelle Github Access Table of contents Contextualization 1 How does Vault work ? 2 Steps to become a

875 views β€’ 22 slides
Secret Sharing and Visual Cryptography Outline Secret Sharing Visual Secret Sharing

Secret Sharing and Visual Cryptography Outline Secret Sharing Visual Secret Sharing

Secret Sharing and Visual Cryptography Outline Secret Sharing Visual Secret Sharing Constructions Moir Cryptography Issues Secret Sharing Secret Sharing Threshold Secret Sharing (Shamir, Blakely 1979) Motivation

1.32k views β€’ 62 slides
Hacking and protecting Oracle Database Vault Esteban Martnez Fay Argeniss (www.argeniss.com)

Hacking and protecting Oracle Database Vault Esteban Martnez Fay Argeniss (www.argeniss.com)

Hacking and protecting Oracle Database Vault Esteban Martnez Fay Argeniss (www.argeniss.com) July 2010 Agenda Introduction to Oracle Database Vault What is Oracle Database Vault, What changes introduce, Oracle Database Vault

690 views β€’ 49 slides
Issuing temporary credentials for MySQL using Hashicorp Vault Walter Heck - CTO at OlinData

Issuing temporary credentials for MySQL using Hashicorp Vault Walter Heck - CTO at OlinData

Issuing temporary credentials for MySQL using Hashicorp Vault Walter Heck - CTO at OlinData Percona Live Europe 2017 Sounds familiar? Hey, Jane Doe from that department youve never heard of wants to do some analysis and she needs

692 views β€’ 21 slides
VAULT MODERN SECRETS MANAGEMENT CLICK ENGAGE TO RATE SESSION RATE 12

VAULT MODERN SECRETS MANAGEMENT CLICK ENGAGE TO RATE SESSION RATE 12

VAULT MODERN SECRETS MANAGEMENT CLICK ENGAGE TO RATE SESSION RATE 12 SESSIONS AND GET THE SUPERCOOL GOTO PRIZE SETH VARGO @sethvargo SECRET MANAGEMENT WHAT IS "SECRET"? SECRET VS. SENSITIVE SECRET

2.86k views β€’ 65 slides
Advanced Tools from Modern Cryptography Lecture 3 Secret-Sharing (ctd.) Secret-Sharing Last

Advanced Tools from Modern Cryptography Lecture 3 Secret-Sharing (ctd.) Secret-Sharing Last

Advanced Tools from Modern Cryptography Lecture 3 Secret-Sharing (ctd.) Secret-Sharing Last time (n,t) secret-sharing (n,n) via additive secret-sharing Shamir secret-sharing for general (n,t) Shamir secret-sharing is a linear

611 views β€’ 14 slides
VH1 Presentation CRACK THE VAULT CODE Contest Description The Crack The Vault

VH1 Presentation CRACK THE VAULT CODE Contest Description The Crack The Vault

VH1 Presentation CRACK THE VAULT CODE Contest Description The Crack The Vault contest will happen like this. For four consecutive Fridays in the month of September 2014, the station will announce 1 number each hour on the hour

220 views β€’ 6 slides
VICTORIA'S SECRET THE WORLD'S BEST BRAS OVERVIEW Victoria's Secret Victoria's PINK Secret

VICTORIA'S SECRET THE WORLD'S BEST BRAS OVERVIEW Victoria's Secret Victoria's PINK Secret

NEW YORK LONDON SHANGHAI VICTORIA'S SECRET THE WORLD'S BEST BRAS OVERVIEW Victoria's Secret Victoria's PINK Secret Sport WE ARE MISSION VISION VALUES 8.1% GROWTH BY 2022 3BN DOMESTIC VALUE STATS WE OFFER LINGERIE PANTIES

340 views β€’ 30 slides
Today. Polynomials. Secret Sharing. A secret! I have a secret! A number from 0 to 10. What is

Today. Polynomials. Secret Sharing. A secret! I have a secret! A number from 0 to 10. What is

Today. Polynomials. Secret Sharing. A secret! I have a secret! A number from 0 to 10. What is it? Any one of you knows nothing! Any two of you can figure it out! Example Applications: Nuclear launch: need at least 3 out of 5 people to

514 views β€’ 23 slides
Secret Sharing See: Shamir, How to Share a Secret , CACM, Vol. 22, No. 11, November 1979, pp.

Secret Sharing See: Shamir, How to Share a Secret , CACM, Vol. 22, No. 11, November 1979, pp.

Secret Sharing See: Shamir, How to Share a Secret , CACM, Vol. 22, No. 11, November 1979, pp. 612613 Eli Biham - May 3, 2005 c 497 Secret Sharing (17) How to Keep a Secret Key Securely Information can be secured by encryption under a

598 views β€’ 23 slides
Basic Fit Training Vault and Skirt Curvature ClearKone is available in 11 different vaults of

Basic Fit Training Vault and Skirt Curvature ClearKone is available in 11 different vaults of

Basic Fit Training Vault and Skirt Curvature ClearKone is available in 11 different vaults of which each can be ordered in 3 different skirt curvatures; flat, medium and steep. The vault diameter is ~7.4mm and includes the spherical optic zone

581 views β€’ 20 slides
Village of Wilmette West Side Neighborhood Storage Stormwater Detention Vault Configuration

Village of Wilmette West Side Neighborhood Storage Stormwater Detention Vault Configuration

Village of Wilmette West Side Neighborhood Storage Stormwater Detention Vault Configuration Alternatives Matthew J. Moffitt P.E., CFM, CPESC Title Detention Vault Configuration Alternatives West Side Neighborhood Storage Configuration

362 views β€’ 20 slides
Playbill Vault The largest source of information about Broadway people, shows, theatres, and

Playbill Vault The largest source of information about Broadway people, shows, theatres, and

Presenting Playbill Vault The largest source of information about Broadway people, shows, theatres, and awards. A Ready Reference Instructional Presentation- Donna Edgar What is Playbill Vault.Com? PlaybillVault.com is a free comprehensive

803 views β€’ 18 slides
CephFS Development Update John Spray john.spray@redhat.com Vault 2015 Agenda Introduction

CephFS Development Update John Spray john.spray@redhat.com Vault 2015 Agenda Introduction

CephFS Development Update John Spray john.spray@redhat.com Vault 2015 Agenda Introduction to CephFS architecture Architectural overview What's new in Hammer? Test & QA 2 Vault 2015 CephFS Development Update

701 views β€’ 45 slides
CSE 232A Database System Implementation Arun Kumar Topic 9: ML for RDBMSs Optional; this

CSE 232A Database System Implementation Arun Kumar Topic 9: ML for RDBMSs Optional; this

CSE 232A Database System Implementation Arun Kumar Topic 9: ML for RDBMSs Optional; this topic is not included for final exam! 1 ML for Systems Q: Why bother applying ML to well-studied systems issues? Jeff Deans rationales (from

785 views β€’ 20 slides
Firefox quality Mozilla Paris | FOSDEM | Feb 3rd 2018 Bonjour ! Je suis Sylvestre Ledru Je

Firefox quality Mozilla Paris | FOSDEM | Feb 3rd 2018 Bonjour ! Je suis Sylvestre Ledru Je

Firefox quality Mozilla Paris | FOSDEM | Feb 3rd 2018 Bonjour ! Je suis Sylvestre Ledru Je parle de Firefox Quality Twitter @SylvestreLedru 2 Bonjour ! 3 Bonjour ! 4 Bonjour ! 5 The Firefox scale About:Firefox We release every 6

775 views β€’ 41 slides
Dynamo Dynamo motivation Fast, available writes - Shopping cart: always enable purchases FLP:

Dynamo Dynamo motivation Fast, available writes - Shopping cart: always enable purchases FLP:

Dynamo Dynamo motivation Fast, available writes - Shopping cart: always enable purchases FLP: consistency and progress at odds - Paxos: must communicate with a quorum Performance: strict consistency = single copy - Updates serialized to

1.45k views β€’ 110 slides
ATLAS Update : I/O Developments Peter van Gemmeren (ANL) ROOT I/O

ATLAS Update : I/O Developments Peter van Gemmeren (ANL) ROOT I/O

ATLAS Update : I/O Developments Peter van Gemmeren (ANL) ROOT I/O Workshop, #3 ATLAS use of ROOT TTreeCache ATLAS stores most of its data in ROOT TTrees. RDO, ESD,

221 views β€’ 7 slides
Gender-diversity analysis of technical contributions LinuxCon, Berlin 2016 Daniel Izquierdo

Gender-diversity analysis of technical contributions LinuxCon, Berlin 2016 Daniel Izquierdo

Gender-diversity analysis of technical contributions LinuxCon, Berlin 2016 Daniel Izquierdo Cortzar @dizquierdo dizquierdo at bitergia dot com https://speakerdeck.com/bitergia Outline Introduction First Steps Some numbers and method

718 views β€’ 48 slides
Is Password InSecurity Inevitable? Cryptographic Enhancements to Password Protocols Hugo

Is Password InSecurity Inevitable? Cryptographic Enhancements to Password Protocols Hugo

Is Password InSecurity Inevitable? Cryptographic Enhancements to Password Protocols Hugo Krawczyk (IBM Research) Works with Stanislaw Jarecki, Jiayu Xu (UC Irvine) Aggelos Kiayas (U Edinburgh) Nitesh Saxena, Maliheh Shirvanian (UA Birmingham)

751 views β€’ 32 slides
Experimental Constraints on Experimental Constraints on 4th generation quark masses 4th

Experimental Constraints on Experimental Constraints on 4th generation quark masses 4th

Experimental Constraints on Experimental Constraints on 4th generation quark masses 4th generation quark masses Work done with PQ Hung, arxiv:0711 4353 (PRD 2008) arxiv:0711.4353 (PRD, 2008) CDF -- PRD 76, 072006 (2007) But..

531 views β€’ 21 slides
Pwning (sometimes) with style Dragons notes on CTFs Mateusz "j00ru" Jurczyk, Gynvael

Pwning (sometimes) with style Dragons notes on CTFs Mateusz "j00ru" Jurczyk, Gynvael

Pwning (sometimes) with style Dragons notes on CTFs Mateusz "j00ru" Jurczyk, Gynvael Coldwind Insomnihack 2015, Geneva Who Gynvael Coldwind o Dragon Sector Team Captain o http://gynvael.coldwind.pl/ o @gynvael Mateusz

1.46k views β€’ 126 slides

More recommend

Logo Sambuz

Unleash a World of Digital Possibilitiesβ€”Browse, Share, and Explore Content Without Boundaries

Useful Links

About Us Privacy Services FAQ's Blogs Contact

Newsletter

Stay Informed & Inspiredβ€”Subscribe for the Latest Updates, Tips, and Exclusive Content Directly to Your Inbox.

Mail Us

mail@sambuz.com

2025 SAMBUZ, All right reserved.