Secret Management With Hashicorps Vault
Secret Managementwith Hashicorp'sVaultDaniel Bornkessel
Secret Management with Hashicorp's VaultX
Secret Managementwith Hashicorp'sVaultDaniel Bornkessel
Secret Management with Hashicorp's VaultFocus of this talk what is secret management why do you need it what is Vault and how can it help you with secret management some Vault internalsQuelle / Max Mustermann3
Secret Management with Hashicorp's VaultGoal of this talk think about best practices with secrets that your company couldimprove on go and play with VaultQuelle / Max Mustermann4
Secret Management with Hashicorp's VaultWhy focus on Vault unmatched (afaik) feature set not vendor or framework specific open source (mostly some closed sourced enterprise features)Quelle / Max Mustermann5
Secret Management with Hashicorp's VaultOther solutions* KeyWiz from Square: not as many features, no dynamic secrets,HSM in open source version Cloud Foundry CredHub: tailored and specific to Cloud Foundry AWS Secrets Manager: AWS specific, promising, dynamic’esquesecrets for certain AWS services, automatic rotation (forsupported services extendable via Lambda functions) self made: a lot of complexity and work* I have not personally used those solutionsQuelle / Max Mustermann6
Secret Management with Hashicorp's VaultSecret Managemant7
Secret Management with Hashicorp's VaultSecrets sensitive data ! secrets but: secrets sensitive data tokens passwords certificates API keys etc.Quelle / Max MustermannX
Secret Management with Hashicorp's VaultSecret Management part of your security concept one focus: on internal threads like rogue employees unauthorized access to secrets long living secrets audit log: who requested credentials for which system at whatpoint of time high automation for changing / revoking / rolling secrets high entropy passwordsQuelle / Max Mustermann8
Secret Management with Hashicorp's Vaulttodo: extreme exampleQuelle / Max Mustermann9
Secret Management with Hashicorp's Vault10
Secret Management with Hashicorp's VaultSecret Management: current situation best practices are widely known is usually seen as (very) important implementation is hard solutions are rare apps and frameworks not ready for modern secret management high automation still an exception (as opposed to external threadmitigation measures) often neglected in favour of business critical featuresQuelle / Max Mustermann11
Secret Management with Hashicorp's VaultQuestionWho here has production credentials on their laptop at this verymoment (e.g. AWS credentials file, DB credentials, passwordless sshprivate keys to access machines or git repos, API-keys, etc.)?Who thinks this is a good idea?Quelle / Max Mustermann12
Secret Management with Hashicorp's VaultWhy am I talking about secretmanagement13
Secret Management with Hashicorp's VaultAbout meDaniel Bornkessel / @kesselborn Senior Consultant at INNOQ (part time) Focus on DevOps & Continuous DeliveryINNOQ Consulting, reviews and development Quelle / Max Mustermann14
Secret Management with Hashicorp's VaultTypical project Monolith - Micro Services / Self Contained Systems Language: set (mostly Java) Framework: set (often Spring Boot) Data center: set (mostly AWS or on premise) Container Management: set (mostly Kubernetes) CI: set (whatever they used before egod’susesake:use Gitlab Logging / Monitoring: set (ELK & ?)prometheus) Secret Management: sure eh wat?Quelle / Max Mustermann15
Secret Management with Hashicorp's VaultTypical project: Secret Management we pass secrets in via env vars we read the values from Kubernetes secrets we have role based access control all figured out changing and updating passwords is a manual process for now yeah: audit log is something we are looking into no, we can not confidently say who has the password for DB xy no, we do not change all passwords if an employee leaves thecompany revoking credentials is not something we currently supportQuelle / Max Mustermann16
Secret Management with Hashicorp's VaultIntroducing VaultQuelle / Max MustermannX
Secret Management with Hashicorp's VaultVault — executive summary17
Secret Management with Hashicorp's VaultVault — executive summary“A Tool for Managing Secrets”Quelle / Max MustermannX
Secret Management with Hashicorp's VaultVault — executive summary not comparable to password managers like 1Password, LastPass,etc. Vault is designed for the system side of things — passwordmanagers “just” encrypt your static secrets and provide a niceway use themQuelle / Max MustermannX
Secret Management with Hashicorp's VaultVault — executive summary secures, stores and tightly controls tokens passwords certificates API keys and other secretsQuelle / Max Mustermann18
Secret Management with Hashicorp's VaultVault — executive summary handles leasing key revocation key rolling auditing provides an API for all operations is not meant as a service or token provider which gets embeddedin your request / response cycleQuelle / Max Mustermann19
Secret Management with Hashicorp's VaultVaultTokensLDAPAWSKubernetesGoogle Cloudauth-n auth-zAppRoleGitHubMFAOktaRADIUSTLS CertificatesQuelle / Max Mustermann aws creds admin developerdatabase creds clients contractspki issue example-comsecret team app1 api-keys google-analytics paypal app2 foossh creds erika ernatransit decrypt team-1-key encrypt secretsNomadPKI (Certificates)RabbitMQSSHTOTPTransit20
Secret Management with Hashicorp's VaultVault auth backends TokensLDAPAWSKubernetesGoogle CloudUsername & PasswordAppRoleGitHubMFAOktaRADIUSTLS CertificatesQuelle / Max Mustermann aws creds admin developerdatabase creds clients contractspki issue example-comsecret team app1 api-keys google-analytics paypal app2 foossh creds erika ernatransit decrypt team-1-key encrypt team-1-keyVault AWSConsulCubbyholeDatabasesIdentityStatic secrets (Key /Value)NomadPKI (Certificates)RabbitMQSSHTOTPTransit21
Secret Management with Hashicorp's VaultVault secret backends TokensLDAPAWSKubernetesGoogle CloudUsername & PasswordAppRoleGitHubMFAOktaRADIUSTLS CertificatesQuelle / Max Mustermann aws creds admin developerdatabase creds clients contractspki issue example-comsecret team app1 api-keys google-analytics paypal app2 foossh creds erika ernatransit decrypt team-1-key encrypt team-1-keyVault AWSConsulCubbyholeDatabasesIdentityStatic secrets (Key /Value)NomadPKI (Certificates)RabbitMQSSHTOTPTransit22
Secret Management with Hashicorp's VaultVault — secret backends23
Secret Management with Hashicorp's VaultVault secret backends — static secretsX
Secret Management with Hashicorp's VaultVault secret backends — static secrets12vault write secret/app1/api-key1234foobar vault read secret/app1/api-keyapp1Quelle / Max Mustermann1234foobaraws creds admin developerdatabase creds clients contractspki issue example-comsecret team app1 api-keys google-analytics paypal app2 foossh creds erika ernatransit decrypt team-1-key encrypt team-1-keyVault3X
Secret Management with Hashicorp's VaultVault secret backends — dynamic secrets24
Secret Management with Hashicorp's VaultVault secret backends — dynamic secretsWhat they are on-the-fly created credentials (hence dynamic) for each instanceof an app / user who wants a secret usually short to medium long ttl fully auditedQuelle / Max Mustermann25
Secret Management with Hashicorp's VaultVault secret backends — dynamic secretsHow they work (in a Nutshell)1. provide Vault credentials for a user that has rights to create usersor tokens in a remote system (e.g. db)2. configure Vault with settings on how to create credentials3. configure Vault with settings on how to invalidate credentials inthe remote systemQuelle / Max Mustermann26
Secret Management with Hashicorp's VaultVault secret backends — Databases27
Secret Management with Hashicorp's VaultVault secret backends — Databases Idea: get access to databases Vault gets configured with credentials for a database user thathas necessary permissions on the database Vault gets a policy that maps users and roles to users withconfigured permissions in the database when user requests credentials, Vault creates a new databaseuser on the fly when configured (usually the case), all created users have a ttlassigned — when the ttl is reached, Vault deletes the user fromthe databaseQuelle / Max MustermannX
Secret Management with Hashicorp's VaultVault secret backends — Databases0Quelle / Max Mustermanndb adminconfig aws creds admin developerdatabase creds clients contractspki issue example-comsecret team app1 api-keys google-analytics paypal app2 foossh creds erika ernatransit decrypt team-1-key encrypt team-1-keyVault28
Secret Management with Hashicorp's VaultVault secret backends — Databases0Quelle / Max Mustermanndb adminconfigvault secrets enable -path db database aws creds admin developerdatabase creds clients contractspki issue example-comsecret team app1 api-keys google-analytics paypal app2 foossh creds erika ernatransit decrypt team-1-key encrypt team-1-keyVaultvault write db/config/clients \plugin name mysql-database-plugin \connection url "admin:pw@tcp(db.example.com)/" \allowed roles “clients-ro,clients-rw”vault write database/roles/clients-ro \db name clients \creation statements “\CREATE USER '{{name}}'@'%' IDENTIFIED BY \'{{password}}'; \GRANT SELECT ON clients.* TO '{{name}}'@'%';" \default ttl "1h" \max ttl "240h"29
Secret Management with Hashicorp's VaultVault secret backends — Databases0Quelle / Max Mustermanndb adminconfigvault secrets enable -path db database aws creds admin developerdatabase creds clients contractspki issue example-comsecret team app1 api-keys google-analytics paypal app2 foossh creds erika ernatransit decrypt team-1-key encrypt team-1-keyVaultvault write db/config/clients \plugin name mysql-database-plugin \connection url "admin:pw@tcp(db.example.com)/" \allowed roles “clients-ro, clients-rw”vault write database/roles/clients-ro \db name clients \creation statements “\CREATE USER '{{name}}'@'%' IDENTIFIED BY \'{{password}}'; \GRANT SELECT ON clients.* TO '{{name}}'@'%';" \default ttl "1h" \max ttl “240h"30
Secret Management with Hashicorp's VaultVault secret backends — Databases0db adminconfig1 read}configuredroledb/creds/clients-roApp4Quelle / Max Mustermanndb login /db password aws creds admin developerdatabase creds clients contractspki issue example-comsecret team app1 api-keys google-analytics paypal app2 foossh creds erika ernatransit decrypt team-1-key encrypt team-1-keyVault2 create user ttl5delete user 3OK31
Secret Management with Hashicorp's VaultVault secret backends — DatabasesAvailable Plugins: Cassandra HanaDB MongoDB MSSQL MySQL/MariaDB PostgreSQL OracleQuelle / Max Mustermann32
Secret Management with Hashicorp's VaultVault secret backends — Google CloudX
Secret Management with Hashicorp's VaultVault secret backends — Google Cloud0 credentials.json or service accountQuelle / Max Mustermann aws creds admin developerdatabase creds clients contractspki issue example-comsecret team app1 api-keys google-analytics paypal app2 foossh creds erika ernatransit decrypt team-1-key encrypt team-1-keydefine rolesets to generateoauth2 access tokens (preferred)or Service AccountsVaultX
Secret Management with Hashicorp's VaultVault secret backends — Google Cloud0 credentials.json or service lle / Max Mustermannoauth2 token/service accountkey aws creds admin developerdatabase creds clients contractspki issue example-comsecret team app1 api-keys google-analytics paypal app2 foossh creds erika ernatransit decrypt team-1-key encrypt team-1-key2create token /service accountGCPApiVault3oauth2 token /service accountkeyttlX
Secret Management with Hashicorp's VaultVault secret backends — AWS33
Secret Management with Hashicorp's VaultVault secret backends — AWS Idea: get access to AWS resources Vault gets configured with an AWS user that has necessarypermissions Vault gets a policy that maps users or roles to AWS roles when user requests credentials, Vault creates STS tokens, assumerole tokens or dynamic IAM users when configured (usually the case), all created secrets have a ttlassignedQuelle / Max MustermannX
Secret Management with Hashicorp's VaultVault secret backends — AWS0Quelle / Max Mustermannaws access keyaws secret key aws creds admin developerdatabase creds clients contractspki issue example-comsecret team app1 api-keys google-analytics paypal app2 foossh creds erika ernatransit decrypt team-1-key encrypt team-1-keyVault34
Secret Management with Hashicorp's VaultVault secret backends — AWS0aws access keyaws secret key}configuredroleread1aws/creds/devApp4Quelle / Max MustermannTTL’ed Token /credentials aws creds admin developerdatabase creds clients contractspki issue example-comsecret team app1 api-keys google-analytics paypal app2 foossh creds erika ernatransit decrypt team-1-key encrypt team-1-key2create STS /IAM userAWSApiVault3TTL’ed Token /credentialsttl35
Secret Management with Hashicorp's VaultVault secret backends — PKI36
Secret Management with Hashicorp's VaultVault secret backends — PKI Idea: issue client certificates on the fly Vault gets configured a CA Certificate and a private key Vault gets a configuration about how certificates for this CAshould be issues (ttl, subject, etc.) when user requests credentials, Vault issues a certificate on thefly when configured (usually the case), all created certificates have attl assignedQuelle / Max MustermannX
Secret Management with Hashicorp's VaultVault secret backends — PKI0Quelle / Max Mustermannadd ca.cert &ca.key aws creds admin developerdatabase creds clients contractspki issue example-comsecret team app1 api-keys google-analytics paypal app2 foossh creds erika ernatransit decrypt team-1-key encrypt team-1-keyVault37
Secret Management with Hashicorp's VaultVault secret backends — PKI0add ca.cert &ca.key}configuredrolewrite1pki/issue/devApp aws creds admin developerdatabase creds clients contractspki issue example-comsecret team app1 api-keys google-analytics paypal app2 foossh creds erika ernatransit decrypt team-1-key encrypt team-1-key2create clientcertificateVault3 TTL’ed clientcertificateQuelle / Max Mustermann38
Secret Management with Hashicorp's VaultVault secret backends — SSH39
Secret Management with Hashicorp's VaultVault dynamic secret backends — sshOne-Time SSH Passwords Idea: get ssh access to machines every host in the system has a small Vault-helper process running user fetches a one time password from Vault when authenticating via ssh, the Vault-helper checks, whether theone time password is valid and deletes itQuelle / Max MustermannX
Secret Management with Hashicorp's VaultVault secret backends — SSH12vault write ssh/creds/dev ip 1.1.2.2 username / otp3 ssh username@1.1.2.2Host1.1.2.24validateotpaws creds admin developerdatabase creds clients contractspki issue example-comsecret team app1 api-keys google-analytics paypal app2 foossh creds erika ernatransit decrypt team-1-key encrypt team-1-keyVault5 grant accessQuelle / Max Mustermann40
Secret Management with Hashicorp's VaultVault dynamic secret backends — sshSigned SSH Certificates Idea: get ssh access to machines user configures Vault-ssh with a CA, a private and a public key the public key gets distributed to all system hosts the user asks Vault to sign one of his public ssh keys with theprovided CA and gets a new, signed public key as a response the user can use this new, signed key to login to machinesQuelle / Max Mustermann41
Secret Management with Hashicorp's VaultVault dynamic secret backends — Transit42
Secret Management with Hashicorp's VaultVault dynamic secret backends — Transit Idea: de- and encrypt data without handling private keys User creates a new transit path in Vault Users can encrypt data by writing the data to this transit path(e.g. transit/encrypt/my-keys/foo) Users with sufficient permissions can decrypt data by writing tothe respective transit path(e.g. transit/decrypt/my-keys/foo) the private key never leaves Vault the data is not stored on Vault (hence the name transit)Quelle / Max MustermannX
Secret Management with Hashicorp's VaultVault secret backends — Transitfoo1vault write transit/encrypt/app/app1 :çÆ#² ?áV Î3vault write transit/decrypt/app/app12 :çÆ#² ?áV ÎAppfooQuelle / Max Mustermann aws creds admin developerdatabase creds clients contractspki issue example-comsecret team app1 api-keys google-analytics paypal app2 foossh creds erika ernatransit decrypt team-1-key encrypt team-1-keyVault443
Secret Management with Hashicorp's VaultVault secret backends TokensLDAPAWSKubernetesGoogle CloudUsername & PasswordAppRoleGitHubMFAOktaRADIUSTLS CertificatesQuelle / Max Mustermann aws creds admin developerdatabase creds clients contractspki issue example-comsecret team app1 api-keys google-analytics paypal app2 foossh creds erika ernatransit decrypt team-1-key encrypt team-1-keyVault AWSConsulCubbyholeDatabasesIdentityStatic secrets (Key /Value)NomadPKI (Certificates)RabbitMQSSHTOTPTransit44
Secret Management with Hashicorp's VaultVault — auth backends45
Secret Management with Hashicorp's VaultVault auth backends TokensLDAPAWSKubernetesGoogle CloudUsername & PasswordAppRoleGitHubMFAOktaRADIUSTLS CertificatesQuelle / Max Mustermann aws creds admin developerdatabase creds clients contractspki issue example-comsecret team app1 api-keys google-analytics paypal app2 foossh creds erika ernatransit decrypt team-1-key encrypt team-1-keyVault AWSConsulCubbyholeDatabasesIdentityStatic secrets (Key
Secret Management: current situation 11 Secret Management with Hashicorp's Vault Quelle / Max Mustermann best practices are widely known is usually seen as (very) important implementation is hard solutions are rare apps and frameworks not ready for modern secret management high automation still an exception (as opposed to external thread
Published by Vault, Inc. o Vault Guide to Leveraged Finance. Published by Vault, Inc. o Vault Career Guide to Private Wealth Management. Published by Vault, Inc. o Vault Guide to Sales and Trading. Published by Vault, Inc. o Vault Guide to the Top 50 Banking Employers. Published by Vault, Inc. o Vault Guide
5.2.2.1 Oracle Key Vault Program with Batching 5-4 5.2.2.2 Detailed Oracle Key Vault Program 5-6 5.3 Oracle Key Vault Program Environment 5-8 5.4 Oracle Key Vault Program Connection 5-9 5.5 Oracle Key Vault Program Session 5-9. Part II . Oracle Key Vault Client C SDK API Reference. 6 . Oracle Key Vault Datatypes and Structures
Vault Cache and Virtual Vault Vault Cache and Virtual Vault are built-in features of Enterprise Vault focused on making the end user experience as seamless as possible. Vault Cache provides users with an intuitive, fast way to access their archived email whether connected to the network or not, by caching a copy of archived messages locally.
THE SECRET SEVEN is the first adventure of the SECRET SEVEN SOCIETY The other books are called: SECOND The Secret Seven Adventure THIRD Well Done Secret Seven! FOURTH Secret Seven on the Trail FIFTH Go Ahead Secret Seven SIXTH Good Work Secret Seven SEVENTH Secret Seven Win Through EIGHTH Three Cheers Secret Seven NINTH Secret Seven Mystery
Changes for Oracle Key Vault Release 18.7 xxvi 1 Introduction to Oracle Key Vault 1.1 About Oracle Key Vault and Key Management 1-1 1.2 Benefits of Using Oracle Key Vault 1-2 1.3 Oracle Key Vault Use Cases 1-4 1.3.1 Centralized Storage of Oracle Wallet Files and Java Keystores 1-4
Enables placement of Vault on a standard tripod mount. VAULT COMPONENTS At a basic level, Vault includes a lid, a base and a latch that joins the two together to create a radio frequency (RF) seal. Vault also ships with a three-foot, USB-A to USB-C charging cable. The components of Vault (and their main functions) are displayed in Figure 1.
View the Secret audit log to see which users have accessed the Secret. Delete the Secret. Change which template is being used to store and display information in this Secret. Secret Server – End User Guide Page 8 Editing a Secret To edit a Secret, navigate to its Secret V
development teams. In Agile Product Management with Scrum, you’ll see how a product owner differs from a traditional product manager having a greater level of responsibility for the success of the product. The book clearly outlines and contrasts the different behav-iors between the traditional and the agile role.
