Confidential Customized for Lorem Ipsum LLC Version 1.0

Introducing VaultRamit Surana

Confidential Customized for Lorem Ipsum LLC Version 1.0

TOC

Overview

What is Vault ?

Vault Architecture

Features

Shamir’s Algorithm

Read/Write Token

Read/Write Multiple Values

Audit

Database

Read Format

Vault UI

Commands

Installation

SSH

Policies

Telemetry

Transit

Vault Plugins

GitHub AuthenticationAWS AuthenticationPolicies

Storage Backend

Community

Use Cases

Overview

● Vault is a simple tool to secure your

credentials and authentication of your

organization.

● It encrypts & provides access to any

secrets.

● Every secret is associated with a lease.

Clients have to renew there secret

within the lease period.

● A secret is anything that you want to

tightly control access to, such as API

keys, passwords, certificates, and more.

Features

1Secure Secret Storage: Arbitrary key/value secrets can be stored in Vault. Vault encrypts these secrets prior to writing them to persistent storage, so gaining access to the raw storage isn't enough to access your secrets. Vault can write to disk, Consul, and more.

2Dynamic Secrets: Vault can generate secrets on-demand for some systems, such as AWS or SQL databases. For example, when an application needs to access an S3 bucket, it asks Vault for credentials, and Vault will generate an AWS keypair with valid permissions on demand. After creating these dynamic secrets, Vault will also automatically revoke them after the lease is up.

3Leasing and Renewal: All secrets in Vault have a lease associated with it. At the end of the lease, Vault will automatically revoke that secret. Clients are able to renew leases via built-in renew APIs.

4Revocation: Vault has built-in support for secret revocation. Vault can revoke not only single secrets, but a tree of secrets, for example all secrets read by a specific user, or all secrets of a particular type. Revocation assists in key rolling as well as locking down systems in the case of an intrusion.

Commands

● Init - Initialize a new Vault server

● List - List data or secrets in Vault

● Token-create - Create a new auth token

● Mounts - Lists mounted backends in

Vault

● Policies - List the policies on the server

● Audit - Lists enabled audit backends in

Vault

● Ssh - Initiate an SSH session

● Rotate - Rotates the backend encryption

key used to persist data

● Unseal/Seal - Unseal/Seal Vault

Vault Use Case Overview

Vault

3 rd Party Tools

SSH

Transit (Encrypt/Decrypt)

Database

Audit

Vault

How does Vault Work ?

High level Architecture Overview

Installation01

Download the binary from https://www.vaultproject.io/downloads.html

$ chmod +x vault

$ mv vault /usr/local/bin/

$ export VAULT_ADDR='http://127.0.0.1:8200'

Shamir's Algorithm02

● Basically a form of secret sharing, where a secret is divided into parts, giving each participant its own unique part, where some of the parts or all of them are needed in order to reconstruct the secret.

● Threshold is the number of shares you need at least in order to recover your secret. You can restore your secret only when you have more than or equal to the number of threshold.

● For Vault, we split the master key into 5 shares, any 3 of which are required to reconstruct the master key.

● For more Info: http://kimh.github.io/blog/en/security/protect-your-secret-key-with-shamirs-secret-sharing/

Read/Write Token03

● Store Ramit’s (User) password under the secret/ path prefix:$ vault write secret/ramit value=SuperSecretPassword

● Store Ramit (User) password and token:$ vault write secret/ramit value=SuperSecretPassword token=ABCDE12345

● Read Secret for a particular user:$ vault read secret/ramit

● Read in a particular Format:$ vault read --format=json secret/ramit (Other format include table, yaml )

Read/Write Multiple Token & Password04

● Store multiple values for any user :$ vault write secret/password @data.json

● Read Secret of a user:$ vault read secret/ramit

{ "key": "ramit5", "value":

"itsasecret1"}

Vault Audit Mechanism05

● Enable vault audit backend :$ vault audit-enable file file_path=/var/log/vault_audit.log

● Check the log file using:$ sudo cat /var/log/vault_audit.log

● Any number of file audit logs can be created by enabling it with different paths.$ vault audit-enable -path="vault_audit_1" file file_path=/home/user/vault_audit.log

● Can also enable syslog, socket:$ vault audit-enable syslog $ vault audit-enable socket$ vault audit-enable socket address="127.0.0.1:9090" socket_type="tcp"

Vault SSH OTP Usage06

● Mount ssh at vault$ vault mount ssh

● Writing SSH Role with User and CIDR$ vault write ssh/roles/otp_key_role \

key_type=otp \

default_user=ramit \

cidr_list=192.168.x.x/y

● Configure sshd daemon in pam:$ vim /etc/pam.d/sshd

Vault SSH OTP Usage● Edit/Add the following lines in the sshd file:

@include common-authauth requisite pam_exec.so quiet expose_authtok log=/tmp/vault-ssh.log /opt/vault-ssh-helper -config=/opt/config.hcl -devauth optional pam_unix.so not_set_pass use_first_pass nodelay

● Edit the /etc/ssh/sshd_configPasswordAuthentication noChallengeResponseAuthentication yesUsePAM yes

● Restart ssh:$ sudo service sshd restart

● List all users in secret:$ vault write ssh/creds/otp_key_role ip=192.168.x.x

● Try using ssh with otp from the above output:$ ssh root@192.168.x.x

Vault Database07

● Mount MySQL Database$ vault mount database

● Vault Configure MySQL Connection:$ vault write database/config/mysql plugin_name=mysql-database-plugin connection_url="root:<YOUR-DB_PASSWORD>@tcp(127.0.0.1:3306)/" allowed_roles="readonly"

● Add a role:$ vault write database/roles/readonly db_name=mysql creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT ON *.* TO '{{name}}'@'%';" default_ttl="1h" max_ttl="24h"

● Read the credentials:$ vault read mysql1/creds/readonly

● mysql-database-plugin

● mysql-aurora-database-plugin

● mysql-rds-database-plugin

● Mysql-legacy-database-plugin

● postgresql-database-plugin

● Mssql-database-plugin

● cassandra-database-plugin

● vault-plugin-database-oracle

● hana-database-plugin

● mongodb-database-plugin

Vault Database

● From the output of above command use $ sudo mysql -u v-root-readonly-wp7sx5737ry347x1 -pA1a-7q7yxq902pwtyu89

Vault General Token Operations● Generate Token :

$ vault read --format=json secret/ramit

● Vault authentication :$ vault auth 8c40f7b4-1380-8a33-8d3b-5efd2dddfe51

● Vault Revoke Token:$ vault token-revoke fe118e23-6957-fb4e-ab36-8655244851e5

Vault UI

● Built using external projects by community.

● Can be run via Docker

● $ sudo docker run -d -p 8000:8000 --name

vault-ui djenriquez/vault-ui

Vault Policies● List all Policies on Vault:

$ vault policies

● Implementing (acl.hcl) on vault with name (secret):$ vault policy-write secret acl.hcl

● Validate if the policy is implemented:$ vault policies

● Delete Policy in Vault:$ vault policy-delete secret

● Create a new token using a particular policy:$ vault token-create -policy="secret"

path "sys" {

policy = "deny"

}

path "secret" {

policy = "write"

}

path "secret/foo" {

policy = "read"

}

Vault Telemetry● Vault agent collects various runtime metrics about the performance of different libraries and subsystems.● These metrics are aggregated on a 10 second interval and are retained for 1 minute.

● You'll note that log entries are prefixed with the metric type as follows:

[C] is a counter[G] is a gauge[S] is a summary

● For more info:https://www.vaultproject.io/docs/internals/telemetry.html

Vault Transit Encryption● It handles cryptographic functions on data in-transit.

● It encrypts data from applications while still storing that encrypted data in some primary data store.

● It can also sign and verify data; generate hashes and HMACs of data; and act as a source of random bytes.● It allows the same key to be used for multiple purposes by deriving a new key based on a user-supplied context value.

● Mount transit on vault$ vault mount transit

● create a named encryption key:$ vault write -f transit/keys/foo

● Validate the key foo$ vault read transit/keys/foo

Vault Transit Decryption● Encrypt the Plain text (the quick brown fox)

echo -n "the quick brown fox" | base64 | vault write transit/encrypt/foo plaintext=-

● Decrypt $ vault write transit/decrypt/foo ciphertext=vault:v1:czEwyKqGZY/limnuzDCUUe5AK0tbBObWqeZgFqxCuIqq7A84SeiOq3sKD0Y/KUvv

$ echo "dGhlIHF1aWNrIGJyb3duIGZveAo=" | base64 -d

Vault Token

● Generate Token :$ vault token-create

● Vault authentication :$ vault auth 8c40f7b4-1380-8a33-8d3b-5efd2dddfe51

● Vault Revoke Token:$ vault token-revoke fe118e23-6957-fb4e-ab36-8655244851e5

Vault PluginsVault supports a number of different plugins such as:

● AppRole● AWS● Google Cloud● Kubernetes● GitHub● LDAP● MFA● Okta● RADIUS● TLS Certificates● Tokens● Username & Password

Github Authentication● Vault Auth Github:

$ vault auth-enable github

● Vault Write GitHub Creds:$ vault write auth/github/config

● With Root $ vault write auth/github/map/teams/default value=root

● Revoke all Github tokens$ vault token-revoke -mode=path auth/github

● Disable Github from Vault$ vault auth-disable github

AWS Dynamic Authentication● Mount AWS on Vault:

$ vault mount aws

● Vault Write AWS Creds:$ vault write aws/config/root access_key=ABCDE1234 secret_key=1234ABCDE

● Using IAM Policy in JSON Format with policy.json :$ vault write aws/roles/deploy policy=@policy.json

● Read & Verify the AWS tokens in Vault:$ vault read aws/creds/deploy

● Using lease_id parameter from above in the above command:$ vault revoke <aws/creds/deploy/185e6910-6d36-e9a6-33b3-fc8dcfd4e97c> → lease_id

{

"Version": "2012-10-17",

"Statement": [

{

"Sid":

"Stmt1426528957000",

"Effect": "Allow",

"Action": [

"ec2:*"

],

"Resource": [

"*"

]

}

]

}

Vault Storage Backend

● Store multiple values for any user :$ vim vault-config.hcl

listener "tcp" { address = "0.0.0.0:8200" tls_cert_file="/home/ec2-user/.ssl/server.crt" tls_key_file="/home/ec2-user/.ssl/server.key"}

backend "s3" {

bucket = "foldername"

access_key = "xxxxxxxxxxxx"

secret_key= "xxxxxxxxxxxxxxxxxxxxxxx"

}

disable_mlock=true

● Read in a particular Format:$ vault read --format=json secret/ramit (Other format include table, yaml )

● S3

● Dynamodb

● Azure

● CouchDB

● CockroachDB

● Etcd

● Google Cloud

● Swift

● Zookeeper

● MySQL

● FileSystem

● PostgreSQL

Supervisor

● Store multiple values for any user :$ sudo apt-get install supervisor -y

● Config File:$ vim /etc/supervisor/supervisord.conf

● List all users in secret:$ [unix_http_server]` - change `;chmod=0700` to `chmod=0766`

- add the following: `[program:vault]`

- add `command=vault server -config=/home/ec2-user/vault-config.hcl`

- add `user=ec2-user`

- add `environment=AWS_ACCESS_KEY_ID="<your_access_key_id",AWS_SECRET_ACCESS_KEY="<your_secret_access_key>"`

● Read in a particular Format:$ sudo touch /etc/init.d/supervisord

Supervisor

● Add Supervisord with chkconfig :$ sudo chkconfig --add supervisord

● Start Service with supervisord

sudo service supervisord start

supervisorctl

● For more info on supervisor:

https://serversforhackers.com/c/monitoring-processes-with-supervisord

Generating a Self Signed Certificate

● SSL uses asymmetric cryptography, commonly referred to as public key cryptography (PKI).● With public key cryptography, two keys are created, one public, one private. Anything encrypted with

either key can only be decrypted with its corresponding key. ● Thus if a message or data stream were encrypted with the server's private key, it can be decrypted only

using its corresponding public key, ensuring that the data only could have come from the server.● Openssl toolkit is used to generate an RSA Private Key and CSR (Certificate Signing Request). It

can also be used to generate self-signed certificates which can be used for testing purposes or internal usage.

● Make a Directory

$ mkdir .ssl && cd .ssl

● Generate a private key with a password, 1024 bit encrypted

$ openssl genrsa -des3 -out server.key 1024

● Generate a CSR (Certificate Signing Request)

$ openssl req -new -key server.key -out server.csr

Generating a Self Signed Certificate (Part 2)

● Remove passphrase from the key

$ cp server.key server.key.org

$ openssl rsa -in server.key.org -out server.key

● Generate a Self-Signed Certificate

$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

● Remove Old directory

$ rm server.key.org && cd

Community Facts

Find more at https://github.com/hashicorp/vault/

Contributors

384+Commits

6K+Releases

46

Thank you :)