Managing Secrets at Scale
-
Upload
spring-by-pivotal -
Category
Technology
-
view
766 -
download
0
Transcript of Managing Secrets at Scale
Unless o therwise ind ica ted , these s l ides a re © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion -NonCommerc ia l l i cense : h t tp : / /c rea t i vecommons .org / l i censes /by -nc /3 .0 /
Managing Secrets at ScaleMark Paluch
@mp911de
Unless o therwise ind ica ted , these s l ides a re © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion -NonCommerc ia l l i cense : h t tp : / /c rea t i vecommons .org / l i censes /by -nc /3 .0 / 2
Unless o therwise ind ica ted , these s l ides a re © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion -NonCommerc ia l l i cense : h t tp : / /c rea t i vecommons .org / l i censes /by -nc /3 .0 /
TomEE
4
<Resource id="MySQL Database" type="DataSource"> UserName test
Password xMH5uM1V9vQzVUv5LG7YLA== PasswordCipher Static3DES </Resource>
https://www.flickr.com/photos/dahlstroms/4188244058
Unless o therwise ind ica ted , these s l ides a re © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion -NonCommerc ia l l i cense : h t tp : / /c rea t i vecommons .org / l i censes /by -nc /3 .0 /
Vault Project• Secure storage
• Sealing/Unsealing
• Multiple authentication mechanisms
• Multiple secret backends
• ACL/policies
• HA
• HTTP API
10
Unless o therwise ind ica ted , these s l ides a re © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion -NonCommerc ia l l i cense : h t tp : / /c rea t i vecommons .org / l i censes /by -nc /3 .0 /
Vault Project: Editions
• Secret storage
• Tokens and access control policies
• Dynamic secrets with leasing and revocation
• Key rolling
• Audit logs
11
• HSM
• 24x7x365 Phone and Email Support
Community Enterprise
Unless o therwise ind ica ted , these s l ides a re © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion -NonCommerc ia l l i cense : h t tp : / /c rea t i vecommons .org / l i censes /by -nc /3 .0 /
Demo: Start and initialize Vault
12
$ vault server -config=vault.conf $ vault init $ vault unseal
Unless o therwise ind ica ted , these s l ides a re © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion -NonCommerc ia l l i cense : h t tp : / /c rea t i vecommons .org / l i censes /by -nc /3 .0 /
Demo: Storing/Loading generic secrets
13
$ vault write secret/app key=value $ vault read secret/app
Unless o therwise ind ica ted , these s l ides a re © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion -NonCommerc ia l l i cense : h t tp : / /c rea t i vecommons .org / l i censes /by -nc /3 .0 /
Secret Backends
• AWS
• Cassandra
• Consul
• MySQL/MSSSQL/PostgreSQL
• PKI
• RabbitMQ
14
Unless o therwise ind ica ted , these s l ides a re © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion -NonCommerc ia l l i cense : h t tp : / /c rea t i vecommons .org / l i censes /by -nc /3 .0 /
Keeping secrets secret
• Limit distribution
• Access control
• Encrypted
• Key rotation
• Locking access
15
✅
✅
✅
https://www.flickr.com/photos/kristencavanaugh/10710047746
Unless o therwise ind ica ted , these s l ides a re © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion -NonCommerc ia l l i cense : h t tp : / /c rea t i vecommons .org / l i censes /by -nc /3 .0 /
Authentication methods
• Token
• Username/password
• LDAP
• GitHub Token
• MFA
• TLS Certificates
• App ID
17
Unless o therwise ind ica ted , these s l ides a re © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion -NonCommerc ia l l i cense : h t tp : / /c rea t i vecommons .org / l i censes /by -nc /3 .0 / 18
Unless o therwise ind ica ted , these s l ides a re © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion -NonCommerc ia l l i cense : h t tp : / /c rea t i vecommons .org / l i censes /by -nc /3 .0 /
19
1Operator configures AppId
2Store AppId in App configuration
3Deployment: Map AppId to UserId
4App start: Vault login with AppId and UserId
Unless o therwise ind ica ted , these s l ides a re © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion -NonCommerc ia l l i cense : h t tp : / /c rea t i vecommons .org / l i censes /by -nc /3 .0 /
Production-grade Security Features
• Auditing
• Policies
• Token-lease/expiry
20
Unless o therwise ind ica ted , these s l ides a re © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion -NonCommerc ia l l i cense : h t tp : / /c rea t i vecommons .org / l i censes /by -nc /3 .0 /
Keeping secrets secret
• Limit distribution
• Access control
• Encrypted
• Key rotation
• Locking access
21
✅
✅
✅
✅
✅
Unless o therwise ind ica ted , these s l ides a re © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion -NonCommerc ia l l i cense : h t tp : / /c rea t i vecommons .org / l i censes /by -nc /3 .0 /
Operation hints
• Use SSL
• Keep unseal keys secret
• Operate in High-Availability setup
22
Unless o therwise ind ica ted , these s l ides a re © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion -NonCommerc ia l l i cense : h t tp : / /c rea t i vecommons .org / l i censes /by -nc /3 .0 /
Demo: Spring Cloud Vault Config
23
Unless o therwise ind ica ted , these s l ides a re © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion -NonCommerc ia l l i cense : h t tp : / /c rea t i vecommons .org / l i censes /by -nc /3 .0 /
Spring Cloud Vault
• Encrypted configuration data support
• Various authentication methods
• AppId
• AWS-EC2
• TLS Certificates
• Dynamic secret generations
• AWS
• Consul
• Cassandra/MySQL/PostgreSQL
• RabbitMQ
24
Unless o therwise ind ica ted , these s l ides a re © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion -NonCommerc ia l l i cense : h t tp : / /c rea t i vecommons .org / l i censes /by -nc /3 .0 /
Use it in your project
25
<dependency> <groupId>org.springframework.cloud</groupId> <artifactId>spring-cloud-vault-starter-config</artifactId> <version>1.0.0.BUILD-SNAPSHOT</version> </dependency>
<repositories> <repository> <id>spring-snapshots</id> <url>https://repo.spring.io/libs-snapshot</url> </repository> </repositories>
Unless o therwise ind ica ted , these s l ides a re © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion -NonCommerc ia l l i cense : h t tp : / /c rea t i vecommons .org / l i censes /by -nc /3 .0 /
Resources
• Project – github.com/spring-cloud-incubator/spring-cloud-vault-config
• Samples – github.com/mp911de/spring-cloud-vault-config-samples
• Vault – vaultproject.io
• Slides – mp911.de/s1msas
26
Unless o therwise ind ica ted , these s l ides a re © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion -NonCommerc ia l l i cense : h t tp : / /c rea t i vecommons .org / l i censes /by -nc /3 .0 /
Follow us @SpringCloudOSSTalk to us spring-projects/spring-cloud
Learn More. Stay Connected.
@springcentral spring.io/blog
@pivotal pivotal.io/blog
@pivotalcf http://engineering.pivotal.io
Unless o therwise ind ica ted , these s l ides a re © 2013-2016 P ivo ta l So f tware , Inc . and l i censed under a Creat ive Commons At t r ibu t ion -NonCommerc ia l l i cense : h t tp : / /c rea t i vecommons .org / l i censes /by -nc /3 .0 /
Safe Harbor Statement
• The following is intended to outline the general direction of Pivotal's offerings. It is intended for information purposes only and may not be incorporated into any contract. Any information regarding pre-release of Pivotal offerings, future updates or other planned modifications is subject to ongoing evaluation by Pivotal and is subject to change. This information is provided without warranty or any kind, express or implied, and is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions regarding Pivotal's offerings. These purchasing decisions should only be based on features currently available. The development, release, and timing of any features or functionality described for Pivotal's offerings in this presentation remain at the sole discretion of Pivotal. Pivotal has no obligation to update forward looking information in this presentation.
28