Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

Hashicorp Vault ppt

Download as PPTX, PDF
S
Shrey Agarwal

Vault is a tool for securely accessing secrets like API keys and passwords. It allows for [1] generating short-term credentials to access services like AWS, [2] easy revocation of credentials, and [3] auditing of secret access. Vault uses a seal/unseal process where secrets are encrypted at rest requiring threshold of keys to unseal. The document discusses best practices like using tokens for authentication, safeguarding storage backends, and setting up high availability.

1 of 11
Working With Secrets Evaluating HashiCorp Vault
Problem • Saving Publicly Accessible Secrets ( AWS S3 Keys, Encryption Key) • Generating Leased Credentials for AWS, DB • Easy Key Revocation • Secure Audit for Key generation and Access
Vault Architecture
(Un-)Sealing n/n : Safest 1/n : Easiest
Vault Initial Working [CLI] $ vault server -dev $ vault init -key-shares=1 -key-threshold=1 $ vault unseal 69b6b254c098496eee6c6eb5d6f3aa414f66327fabf123bd4f1018a3f133b8d6 $ vault auth 10f7b1c0-f7cf-b466-c7ca-d2be9c6a442b $ vault audit-enable file file_path=/var/log/vault/audit.log $ vault write secret/hello value=world $ vault read secret/hello $ vault seal $ vault write secret/hello value=world Error writing data to secret/hello: Error making API request. URL: PUT http://127.0.0.1:47876/v1/secret/hello Code: 503. Errors: * Vault is sealed $ vault read secret/hello Error reading secret/hello: Error making API request. URL: GET http://127.0.0.1:47876/v1/secret/hello Code: 503. Errors: * Vault is sealed
App and Vault • Always Sealed Approach • Always Keep Vault Unsealed, and seal it if threat is realised • Suggested by Vault • Always UnSealed Approach • App deployment/ reload • Reload Waits for unsealed vault state • Release Engineer ( automation ) unseals vault • Automated Re-Sealing via App/release script.
Secure Distribution of Keys • Most Vulnerable at Key Generation. • Encrypt Keys with openPGP standard • $vault init -key-shares=3 -key-threshold=2 -pgp- keys="keybase:a,keybase:b,keybase:c
Best Practices • Use Tokens for Authentication. Its the only inbuilt ACL • Use CubbyHole Storage Backend. Custom Backends are not pluggable yet • Safeguard Storage Backend • Use encrypted AWS EBS with AWS KMS
High Availability • Vault Support Cluster Setup. • High Availability Backend such as Consul or Mysql HA.
OutSide Vault Threat Model • Algo and Protocol Vulnerabilities : Shamir’s , HTTP(S) • 3rd Party Storage Backends do not contribute in Security • Instance, OS Vulnerabilities.
Thank you @agarwalshrey shrey.agarwal@paytm.com

More Related Content

Hashicorp Vault ppt

  • 2. Problem • Saving Publicly Accessible Secrets ( AWS S3 Keys, Encryption Key) • Generating Leased Credentials for AWS, DB • Easy Key Revocation • Secure Audit for Key generation and Access
  • 5. Vault Initial Working [CLI] $ vault server -dev $ vault init -key-shares=1 -key-threshold=1 $ vault unseal 69b6b254c098496eee6c6eb5d6f3aa414f66327fabf123bd4f1018a3f133b8d6 $ vault auth 10f7b1c0-f7cf-b466-c7ca-d2be9c6a442b $ vault audit-enable file file_path=/var/log/vault/audit.log $ vault write secret/hello value=world $ vault read secret/hello $ vault seal $ vault write secret/hello value=world Error writing data to secret/hello: Error making API request. URL: PUT http://127.0.0.1:47876/v1/secret/hello Code: 503. Errors: * Vault is sealed $ vault read secret/hello Error reading secret/hello: Error making API request. URL: GET http://127.0.0.1:47876/v1/secret/hello Code: 503. Errors: * Vault is sealed
  • 6. App and Vault • Always Sealed Approach • Always Keep Vault Unsealed, and seal it if threat is realised • Suggested by Vault • Always UnSealed Approach • App deployment/ reload • Reload Waits for unsealed vault state • Release Engineer ( automation ) unseals vault • Automated Re-Sealing via App/release script.
  • 7. Secure Distribution of Keys • Most Vulnerable at Key Generation. • Encrypt Keys with openPGP standard • $vault init -key-shares=3 -key-threshold=2 -pgp- keys="keybase:a,keybase:b,keybase:c
  • 8. Best Practices • Use Tokens for Authentication. Its the only inbuilt ACL • Use CubbyHole Storage Backend. Custom Backends are not pluggable yet • Safeguard Storage Backend • Use encrypted AWS EBS with AWS KMS
  • 9. High Availability • Vault Support Cluster Setup. • High Availability Backend such as Consul or Mysql HA.
  • 10. OutSide Vault Threat Model • Algo and Protocol Vulnerabilities : Shamir’s , HTTP(S) • 3rd Party Storage Backends do not contribute in Security • Instance, OS Vulnerabilities.