Introducing Vault
-
Upload
ramit-surana -
Category
Software
-
view
64 -
download
1
Transcript of Introducing Vault
Confidential Customized for Lorem Ipsum LLC Version 1.0
Introducing VaultRamit Surana
Confidential Customized for Lorem Ipsum LLC Version 1.0
TOC
Overview
What is Vault ?
Vault Architecture
Features
Shamir’s Algorithm
Read/Write Token
Read/Write Multiple Values
Audit
Database
Read Format
Vault UI
Commands
Installation
SSH
Policies
Telemetry
Transit
Vault Plugins
GitHub AuthenticationAWS AuthenticationPolicies
Storage Backend
Community
Use Cases
Overview
● Vault is a simple tool to secure your
credentials and authentication of your
organization.
● It encrypts & provides access to any
secrets.
● Every secret is associated with a lease.
Clients have to renew there secret
within the lease period.
● A secret is anything that you want to
tightly control access to, such as API
keys, passwords, certificates, and more.
Features
1Secure Secret Storage: Arbitrary key/value secrets can be stored in Vault. Vault encrypts these secrets prior to writing them to persistent storage, so gaining access to the raw storage isn't enough to access your secrets. Vault can write to disk, Consul, and more.
2Dynamic Secrets: Vault can generate secrets on-demand for some systems, such as AWS or SQL databases. For example, when an application needs to access an S3 bucket, it asks Vault for credentials, and Vault will generate an AWS keypair with valid permissions on demand. After creating these dynamic secrets, Vault will also automatically revoke them after the lease is up.
3Leasing and Renewal: All secrets in Vault have a lease associated with it. At the end of the lease, Vault will automatically revoke that secret. Clients are able to renew leases via built-in renew APIs.
4Revocation: Vault has built-in support for secret revocation. Vault can revoke not only single secrets, but a tree of secrets, for example all secrets read by a specific user, or all secrets of a particular type. Revocation assists in key rolling as well as locking down systems in the case of an intrusion.
Commands
● Init - Initialize a new Vault server
● List - List data or secrets in Vault
● Token-create - Create a new auth token
● Mounts - Lists mounted backends in
Vault
● Policies - List the policies on the server
● Audit - Lists enabled audit backends in
Vault
● Ssh - Initiate an SSH session
● Rotate - Rotates the backend encryption
key used to persist data
● Unseal/Seal - Unseal/Seal Vault
Vault Use Case Overview
Vault
3 rd Party Tools
SSH
Transit (Encrypt/Decrypt)
Database
Audit
Vault
How does Vault Work ?
High level Architecture Overview
Installation01
Download the binary from https://www.vaultproject.io/downloads.html
$ chmod +x vault
$ mv vault /usr/local/bin/
$ export VAULT_ADDR='http://127.0.0.1:8200'
Shamir's Algorithm02
● Basically a form of secret sharing, where a secret is divided into parts, giving each participant its own unique part, where some of the parts or all of them are needed in order to reconstruct the secret.
● Threshold is the number of shares you need at least in order to recover your secret. You can restore your secret only when you have more than or equal to the number of threshold.
● For Vault, we split the master key into 5 shares, any 3 of which are required to reconstruct the master key.
● For more Info: http://kimh.github.io/blog/en/security/protect-your-secret-key-with-shamirs-secret-sharing/
Read/Write Token03
● Store Ramit’s (User) password under the secret/ path prefix:$ vault write secret/ramit value=SuperSecretPassword
● Store Ramit (User) password and token:$ vault write secret/ramit value=SuperSecretPassword token=ABCDE12345
● Read Secret for a particular user:$ vault read secret/ramit
● Read in a particular Format:$ vault read --format=json secret/ramit (Other format include table, yaml )
Read/Write Multiple Token & Password04
● Store multiple values for any user :$ vault write secret/password @data.json
● Read Secret of a user:$ vault read secret/ramit
{ "key": "ramit5", "value":
"itsasecret1"}
Vault Audit Mechanism05
● Enable vault audit backend :$ vault audit-enable file file_path=/var/log/vault_audit.log
● Check the log file using:$ sudo cat /var/log/vault_audit.log
● Any number of file audit logs can be created by enabling it with different paths.$ vault audit-enable -path="vault_audit_1" file file_path=/home/user/vault_audit.log
● Can also enable syslog, socket:$ vault audit-enable syslog $ vault audit-enable socket$ vault audit-enable socket address="127.0.0.1:9090" socket_type="tcp"
Vault SSH OTP Usage06
● Mount ssh at vault$ vault mount ssh
● Writing SSH Role with User and CIDR$ vault write ssh/roles/otp_key_role \
key_type=otp \
default_user=ramit \
cidr_list=192.168.x.x/y
● Configure sshd daemon in pam:$ vim /etc/pam.d/sshd
Vault SSH OTP Usage● Edit/Add the following lines in the sshd file:
@include common-authauth requisite pam_exec.so quiet expose_authtok log=/tmp/vault-ssh.log /opt/vault-ssh-helper -config=/opt/config.hcl -devauth optional pam_unix.so not_set_pass use_first_pass nodelay
● Edit the /etc/ssh/sshd_configPasswordAuthentication noChallengeResponseAuthentication yesUsePAM yes
● Restart ssh:$ sudo service sshd restart
● List all users in secret:$ vault write ssh/creds/otp_key_role ip=192.168.x.x
● Try using ssh with otp from the above output:$ ssh [email protected]
Vault Database07
● Mount MySQL Database$ vault mount database
● Vault Configure MySQL Connection:$ vault write database/config/mysql plugin_name=mysql-database-plugin connection_url="root:<YOUR-DB_PASSWORD>@tcp(127.0.0.1:3306)/" allowed_roles="readonly"
● Add a role:$ vault write database/roles/readonly db_name=mysql creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT ON *.* TO '{{name}}'@'%';" default_ttl="1h" max_ttl="24h"
● Read the credentials:$ vault read mysql1/creds/readonly
● mysql-database-plugin
● mysql-aurora-database-plugin
● mysql-rds-database-plugin
● Mysql-legacy-database-plugin
● postgresql-database-plugin
● Mssql-database-plugin
● cassandra-database-plugin
● vault-plugin-database-oracle
● hana-database-plugin
● mongodb-database-plugin
Vault Database
● From the output of above command use $ sudo mysql -u v-root-readonly-wp7sx5737ry347x1 -pA1a-7q7yxq902pwtyu89
Vault General Token Operations● Generate Token :
$ vault read --format=json secret/ramit
● Vault authentication :$ vault auth 8c40f7b4-1380-8a33-8d3b-5efd2dddfe51
● Vault Revoke Token:$ vault token-revoke fe118e23-6957-fb4e-ab36-8655244851e5
Vault UI
● Built using external projects by community.
● Can be run via Docker
● $ sudo docker run -d -p 8000:8000 --name
vault-ui djenriquez/vault-ui
Vault Policies● List all Policies on Vault:
$ vault policies
● Implementing (acl.hcl) on vault with name (secret):$ vault policy-write secret acl.hcl
● Validate if the policy is implemented:$ vault policies
● Delete Policy in Vault:$ vault policy-delete secret
● Create a new token using a particular policy:$ vault token-create -policy="secret"
path "sys" {
policy = "deny"
}
path "secret" {
policy = "write"
}
path "secret/foo" {
policy = "read"
}
Vault Telemetry● Vault agent collects various runtime metrics about the performance of different libraries and subsystems.● These metrics are aggregated on a 10 second interval and are retained for 1 minute.
● You'll note that log entries are prefixed with the metric type as follows:
[C] is a counter[G] is a gauge[S] is a summary
● For more info:https://www.vaultproject.io/docs/internals/telemetry.html
Vault Transit Encryption● It handles cryptographic functions on data in-transit.
● It encrypts data from applications while still storing that encrypted data in some primary data store.
● It can also sign and verify data; generate hashes and HMACs of data; and act as a source of random bytes.● It allows the same key to be used for multiple purposes by deriving a new key based on a user-supplied context value.
● Mount transit on vault$ vault mount transit
● create a named encryption key:$ vault write -f transit/keys/foo
● Validate the key foo$ vault read transit/keys/foo
Vault Transit Decryption● Encrypt the Plain text (the quick brown fox)
echo -n "the quick brown fox" | base64 | vault write transit/encrypt/foo plaintext=-
● Decrypt $ vault write transit/decrypt/foo ciphertext=vault:v1:czEwyKqGZY/limnuzDCUUe5AK0tbBObWqeZgFqxCuIqq7A84SeiOq3sKD0Y/KUvv
$ echo "dGhlIHF1aWNrIGJyb3duIGZveAo=" | base64 -d
Vault Token
● Generate Token :$ vault token-create
● Vault authentication :$ vault auth 8c40f7b4-1380-8a33-8d3b-5efd2dddfe51
● Vault Revoke Token:$ vault token-revoke fe118e23-6957-fb4e-ab36-8655244851e5
Vault PluginsVault supports a number of different plugins such as:
● AppRole● AWS● Google Cloud● Kubernetes● GitHub● LDAP● MFA● Okta● RADIUS● TLS Certificates● Tokens● Username & Password
Github Authentication● Vault Auth Github:
$ vault auth-enable github
● Vault Write GitHub Creds:$ vault write auth/github/config
● With Root $ vault write auth/github/map/teams/default value=root
● Revoke all Github tokens$ vault token-revoke -mode=path auth/github
● Disable Github from Vault$ vault auth-disable github
AWS Dynamic Authentication● Mount AWS on Vault:
$ vault mount aws
● Vault Write AWS Creds:$ vault write aws/config/root access_key=ABCDE1234 secret_key=1234ABCDE
● Using IAM Policy in JSON Format with policy.json :$ vault write aws/roles/deploy [email protected]
● Read & Verify the AWS tokens in Vault:$ vault read aws/creds/deploy
● Using lease_id parameter from above in the above command:$ vault revoke <aws/creds/deploy/185e6910-6d36-e9a6-33b3-fc8dcfd4e97c> → lease_id
{
"Version": "2012-10-17",
"Statement": [
{
"Sid":
"Stmt1426528957000",
"Effect": "Allow",
"Action": [
"ec2:*"
],
"Resource": [
"*"
]
}
]
}
Vault Storage Backend
● Store multiple values for any user :$ vim vault-config.hcl
listener "tcp" { address = "0.0.0.0:8200" tls_cert_file="/home/ec2-user/.ssl/server.crt" tls_key_file="/home/ec2-user/.ssl/server.key"}
backend "s3" {
bucket = "foldername"
access_key = "xxxxxxxxxxxx"
secret_key= "xxxxxxxxxxxxxxxxxxxxxxx"
}
disable_mlock=true
● Read in a particular Format:$ vault read --format=json secret/ramit (Other format include table, yaml )
● S3
● Dynamodb
● Azure
● CouchDB
● CockroachDB
● Etcd
● Google Cloud
● Swift
● Zookeeper
● MySQL
● FileSystem
● PostgreSQL
Supervisor
● Store multiple values for any user :$ sudo apt-get install supervisor -y
● Config File:$ vim /etc/supervisor/supervisord.conf
● List all users in secret:$ [unix_http_server]` - change `;chmod=0700` to `chmod=0766`
- add the following: `[program:vault]`
- add `command=vault server -config=/home/ec2-user/vault-config.hcl`
- add `user=ec2-user`
- add `environment=AWS_ACCESS_KEY_ID="<your_access_key_id",AWS_SECRET_ACCESS_KEY="<your_secret_access_key>"`
● Read in a particular Format:$ sudo touch /etc/init.d/supervisord
Supervisor
● Add Supervisord with chkconfig :$ sudo chkconfig --add supervisord
● Start Service with supervisord
sudo service supervisord start
supervisorctl
● For more info on supervisor:
https://serversforhackers.com/c/monitoring-processes-with-supervisord
Generating a Self Signed Certificate
● SSL uses asymmetric cryptography, commonly referred to as public key cryptography (PKI).● With public key cryptography, two keys are created, one public, one private. Anything encrypted with
either key can only be decrypted with its corresponding key. ● Thus if a message or data stream were encrypted with the server's private key, it can be decrypted only
using its corresponding public key, ensuring that the data only could have come from the server.● Openssl toolkit is used to generate an RSA Private Key and CSR (Certificate Signing Request). It
can also be used to generate self-signed certificates which can be used for testing purposes or internal usage.
● Make a Directory
$ mkdir .ssl && cd .ssl
● Generate a private key with a password, 1024 bit encrypted
$ openssl genrsa -des3 -out server.key 1024
● Generate a CSR (Certificate Signing Request)
$ openssl req -new -key server.key -out server.csr
Generating a Self Signed Certificate (Part 2)
● Remove passphrase from the key
$ cp server.key server.key.org
$ openssl rsa -in server.key.org -out server.key
● Generate a Self-Signed Certificate
$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
● Remove Old directory
$ rm server.key.org && cd
Community Facts
Find more at https://github.com/hashicorp/vault/
Contributors
384+Commits
6K+Releases
46
Thank you :)