vault - goto conferencepractical security modern data center friendly vault features secure secret...
TRANSCRIPT
![Page 1: Vault - GOTO ConferencePractical security Modern data center friendly VAULT FEATURES Secure secret storage (in-memory, Consul, file, postgres, and more) Dynamic secrets Leasing, renewal,](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5c2f24b59e275ef4fa957/html5/thumbnails/1.jpg)
VAULTMODERN SECRETS MANAGEMENT
![Page 2: Vault - GOTO ConferencePractical security Modern data center friendly VAULT FEATURES Secure secret storage (in-memory, Consul, file, postgres, and more) Dynamic secrets Leasing, renewal,](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5c2f24b59e275ef4fa957/html5/thumbnails/2.jpg)
CLICK ENGAGETO RATE SESSIONRATE 12 SESSIONS AND GET THE SUPERCOOL GOTO PRIZE
![Page 3: Vault - GOTO ConferencePractical security Modern data center friendly VAULT FEATURES Secure secret storage (in-memory, Consul, file, postgres, and more) Dynamic secrets Leasing, renewal,](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5c2f24b59e275ef4fa957/html5/thumbnails/3.jpg)
SETH VARGO@sethvargo
![Page 4: Vault - GOTO ConferencePractical security Modern data center friendly VAULT FEATURES Secure secret storage (in-memory, Consul, file, postgres, and more) Dynamic secrets Leasing, renewal,](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5c2f24b59e275ef4fa957/html5/thumbnails/4.jpg)
![Page 5: Vault - GOTO ConferencePractical security Modern data center friendly VAULT FEATURES Secure secret storage (in-memory, Consul, file, postgres, and more) Dynamic secrets Leasing, renewal,](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5c2f24b59e275ef4fa957/html5/thumbnails/5.jpg)
![Page 6: Vault - GOTO ConferencePractical security Modern data center friendly VAULT FEATURES Secure secret storage (in-memory, Consul, file, postgres, and more) Dynamic secrets Leasing, renewal,](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5c2f24b59e275ef4fa957/html5/thumbnails/6.jpg)
SECRET MANAGEMENT
![Page 7: Vault - GOTO ConferencePractical security Modern data center friendly VAULT FEATURES Secure secret storage (in-memory, Consul, file, postgres, and more) Dynamic secrets Leasing, renewal,](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5c2f24b59e275ef4fa957/html5/thumbnails/7.jpg)
WHAT IS "SECRET"?
![Page 8: Vault - GOTO ConferencePractical security Modern data center friendly VAULT FEATURES Secure secret storage (in-memory, Consul, file, postgres, and more) Dynamic secrets Leasing, renewal,](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5c2f24b59e275ef4fa957/html5/thumbnails/8.jpg)
SECRET VS. SENSITIVE
![Page 9: Vault - GOTO ConferencePractical security Modern data center friendly VAULT FEATURES Secure secret storage (in-memory, Consul, file, postgres, and more) Dynamic secrets Leasing, renewal,](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5c2f24b59e275ef4fa957/html5/thumbnails/9.jpg)
SECRET SENSITIVE
![Page 10: Vault - GOTO ConferencePractical security Modern data center friendly VAULT FEATURES Secure secret storage (in-memory, Consul, file, postgres, and more) Dynamic secrets Leasing, renewal,](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5c2f24b59e275ef4fa957/html5/thumbnails/10.jpg)
SECRET SENSITIVEDB CREDENTIALS
CLOUD ACCESS KEYS
SSL CA/CERTIFICATES
ENCRYPTION KEYS
WIFI PASSWORDS
SOURCE CODE
![Page 11: Vault - GOTO ConferencePractical security Modern data center friendly VAULT FEATURES Secure secret storage (in-memory, Consul, file, postgres, and more) Dynamic secrets Leasing, renewal,](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5c2f24b59e275ef4fa957/html5/thumbnails/11.jpg)
SECRET SENSITIVEDB CREDENTIALS
CLOUD ACCESS KEYS
SSL CA/CERTIFICATES
ENCRYPTION KEYS
WIFI PASSWORDS
EMAIL ADDRESSES
PHONE NUMBERS
MOTHER'S MAIDEN NAME
DATACENTER LOCATIONS
CUSTOMER PII
SOURCE CODE EMAIL/CHAT
![Page 12: Vault - GOTO ConferencePractical security Modern data center friendly VAULT FEATURES Secure secret storage (in-memory, Consul, file, postgres, and more) Dynamic secrets Leasing, renewal,](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5c2f24b59e275ef4fa957/html5/thumbnails/12.jpg)
SECRET SENSITIVEDB CREDENTIALS
CLOUD ACCESS KEYS
SSL CA/CERTIFICATES
ENCRYPTION KEYS
WIFI PASSWORDS
EMAIL ADDRESSES
PHONE NUMBERS
MOTHER'S MAIDEN NAME
DATACENTER LOCATIONS
CUSTOMER PII
SOURCE CODE EMAIL/CHAT
![Page 13: Vault - GOTO ConferencePractical security Modern data center friendly VAULT FEATURES Secure secret storage (in-memory, Consul, file, postgres, and more) Dynamic secrets Leasing, renewal,](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5c2f24b59e275ef4fa957/html5/thumbnails/13.jpg)
SECRET SENSITIVEDB CREDENTIALS
CLOUD ACCESS KEYS
SSL CA/CERTIFICATES
ENCRYPTION KEYS
WIFI PASSWORDS
EMAIL ADDRESSES
PHONE NUMBERS
MOTHER'S MAIDEN NAME
DATACENTER LOCATIONS
CUSTOMER PII
SOURCE CODE EMAIL/CHAT
![Page 14: Vault - GOTO ConferencePractical security Modern data center friendly VAULT FEATURES Secure secret storage (in-memory, Consul, file, postgres, and more) Dynamic secrets Leasing, renewal,](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5c2f24b59e275ef4fa957/html5/thumbnails/14.jpg)
SECRET SENSITIVE
ANYTHING THAT MAKES THE NEWS
![Page 15: Vault - GOTO ConferencePractical security Modern data center friendly VAULT FEATURES Secure secret storage (in-memory, Consul, file, postgres, and more) Dynamic secrets Leasing, renewal,](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5c2f24b59e275ef4fa957/html5/thumbnails/15.jpg)
![Page 16: Vault - GOTO ConferencePractical security Modern data center friendly VAULT FEATURES Secure secret storage (in-memory, Consul, file, postgres, and more) Dynamic secrets Leasing, renewal,](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5c2f24b59e275ef4fa957/html5/thumbnails/16.jpg)
![Page 17: Vault - GOTO ConferencePractical security Modern data center friendly VAULT FEATURES Secure secret storage (in-memory, Consul, file, postgres, and more) Dynamic secrets Leasing, renewal,](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5c2f24b59e275ef4fa957/html5/thumbnails/17.jpg)
![Page 18: Vault - GOTO ConferencePractical security Modern data center friendly VAULT FEATURES Secure secret storage (in-memory, Consul, file, postgres, and more) Dynamic secrets Leasing, renewal,](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5c2f24b59e275ef4fa957/html5/thumbnails/18.jpg)
SECRET MANAGEMENT 1.0
![Page 19: Vault - GOTO ConferencePractical security Modern data center friendly VAULT FEATURES Secure secret storage (in-memory, Consul, file, postgres, and more) Dynamic secrets Leasing, renewal,](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5c2f24b59e275ef4fa957/html5/thumbnails/19.jpg)
HOW DO I DISTRIBUTE SECRETS?
How do applications get secrets?
How do humans acquire secrets?
How are secrets updated?
How is a secret revoked?
![Page 20: Vault - GOTO ConferencePractical security Modern data center friendly VAULT FEATURES Secure secret storage (in-memory, Consul, file, postgres, and more) Dynamic secrets Leasing, renewal,](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5c2f24b59e275ef4fa957/html5/thumbnails/20.jpg)
{ "mysql_user": "root", "mysql_pass": "s3(Ret"}
secure master cat config.son
![Page 21: Vault - GOTO ConferencePractical security Modern data center friendly VAULT FEATURES Secure secret storage (in-memory, Consul, file, postgres, and more) Dynamic secrets Leasing, renewal,](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5c2f24b59e275ef4fa957/html5/thumbnails/21.jpg)
WHY NOT CONFIG MANAGEMENT?
Centrally stored
Eventually consistent
No access control
No auditing
No revocation
![Page 22: Vault - GOTO ConferencePractical security Modern data center friendly VAULT FEATURES Secure secret storage (in-memory, Consul, file, postgres, and more) Dynamic secrets Leasing, renewal,](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5c2f24b59e275ef4fa957/html5/thumbnails/22.jpg)
WHY NOT (ONLINE) DATABASES?
RDBMS, Consul, ZooKeeper, etc
Not designed for secrets
Limited access controls
Typically plaintext storage
No auditing or revocation abilities
![Page 23: Vault - GOTO ConferencePractical security Modern data center friendly VAULT FEATURES Secure secret storage (in-memory, Consul, file, postgres, and more) Dynamic secrets Leasing, renewal,](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5c2f24b59e275ef4fa957/html5/thumbnails/23.jpg)
HOW TO HANDLE SECRET SPRAWL?
Secret material is distributed
Who has access?
When were secrets used?
What is the attack surface?
What do we do in the event of a compromise?
![Page 24: Vault - GOTO ConferencePractical security Modern data center friendly VAULT FEATURES Secure secret storage (in-memory, Consul, file, postgres, and more) Dynamic secrets Leasing, renewal,](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5c2f24b59e275ef4fa957/html5/thumbnails/24.jpg)
STATE OF THE WORLD 1.0
Secret sprawl
Decentralized keys
Limited visibility
Poorly defined “break glass” procedures
![Page 25: Vault - GOTO ConferencePractical security Modern data center friendly VAULT FEATURES Secure secret storage (in-memory, Consul, file, postgres, and more) Dynamic secrets Leasing, renewal,](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5c2f24b59e275ef4fa957/html5/thumbnails/25.jpg)
SECRET MANAGEMENT 2.0
![Page 26: Vault - GOTO ConferencePractical security Modern data center friendly VAULT FEATURES Secure secret storage (in-memory, Consul, file, postgres, and more) Dynamic secrets Leasing, renewal,](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5c2f24b59e275ef4fa957/html5/thumbnails/26.jpg)
VAULTMODERN SECRETS MANAGEMENT
![Page 27: Vault - GOTO ConferencePractical security Modern data center friendly VAULT FEATURES Secure secret storage (in-memory, Consul, file, postgres, and more) Dynamic secrets Leasing, renewal,](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5c2f24b59e275ef4fa957/html5/thumbnails/27.jpg)
VAULT GOALS
Single source for secrets
Programmatic application access (Automated)
Operator access (Manual)
Practical security
Modern data center friendly
![Page 28: Vault - GOTO ConferencePractical security Modern data center friendly VAULT FEATURES Secure secret storage (in-memory, Consul, file, postgres, and more) Dynamic secrets Leasing, renewal,](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5c2f24b59e275ef4fa957/html5/thumbnails/28.jpg)
VAULT FEATURES
Secure secret storage (in-memory, Consul, file, postgres, and more)
Dynamic secrets
Leasing, renewal, and revocation
Auditing
Rich ACLs
Multiple client authentication methods
![Page 29: Vault - GOTO ConferencePractical security Modern data center friendly VAULT FEATURES Secure secret storage (in-memory, Consul, file, postgres, and more) Dynamic secrets Leasing, renewal,](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5c2f24b59e275ef4fa957/html5/thumbnails/29.jpg)
SECURE SECRET STORAGE
Data is encrypted in transit and at rest
256bit AES in GCM mode
TLS 1.2 for clients
No HSM required
![Page 30: Vault - GOTO ConferencePractical security Modern data center friendly VAULT FEATURES Secure secret storage (in-memory, Consul, file, postgres, and more) Dynamic secrets Leasing, renewal,](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5c2f24b59e275ef4fa957/html5/thumbnails/30.jpg)
Success! Data written to: secret/foo
secure master vault write secret/foo bar=bacon
![Page 31: Vault - GOTO ConferencePractical security Modern data center friendly VAULT FEATURES Secure secret storage (in-memory, Consul, file, postgres, and more) Dynamic secrets Leasing, renewal,](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5c2f24b59e275ef4fa957/html5/thumbnails/31.jpg)
Key Valuelease_id secret/foo/2a798f6f-00da-8d48-659a-ef1c969f23edlease_duration 2592000lease_renewablefalsebar bacon
secure master vault read secret/foo
![Page 32: Vault - GOTO ConferencePractical security Modern data center friendly VAULT FEATURES Secure secret storage (in-memory, Consul, file, postgres, and more) Dynamic secrets Leasing, renewal,](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5c2f24b59e275ef4fa957/html5/thumbnails/32.jpg)
DYNAMIC SECRETS
Never provide “root” credentials to clients
Provide limited access credentials based on role
Generated on demand when requested
Leases are enforceable via revocation
Audit trail can identify point of compromise
![Page 33: Vault - GOTO ConferencePractical security Modern data center friendly VAULT FEATURES Secure secret storage (in-memory, Consul, file, postgres, and more) Dynamic secrets Leasing, renewal,](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5c2f24b59e275ef4fa957/html5/thumbnails/33.jpg)
Successfully mounted 'postgresql' at 'postgresql'!
secure master vault mount postgresql
![Page 34: Vault - GOTO ConferencePractical security Modern data center friendly VAULT FEATURES Secure secret storage (in-memory, Consul, file, postgres, and more) Dynamic secrets Leasing, renewal,](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5c2f24b59e275ef4fa957/html5/thumbnails/34.jpg)
## DESCRIPTION
The PostgreSQL backend dynamically generates database users.
After mounting this backend, configure it using the endpoints withinthe "config/" path.
## PATHS
The following paths are supported by this backend. To view help forany of the paths below, use the help command with any route matchingthe path pattern. Note that depending on the policy of your auth token,you may or may not be able to access certain paths.
^config/connection$ Configure the connection string to talk to PostgreSQL.
secure master vault help postgresql
![Page 35: Vault - GOTO ConferencePractical security Modern data center friendly VAULT FEATURES Secure secret storage (in-memory, Consul, file, postgres, and more) Dynamic secrets Leasing, renewal,](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5c2f24b59e275ef4fa957/html5/thumbnails/35.jpg)
vault write postgresql/config/connection \ value="user=hashicorp password=hashicorp database=hashicorp"
Success! Data written to: postgresql/config/connection
secure master \
![Page 36: Vault - GOTO ConferencePractical security Modern data center friendly VAULT FEATURES Secure secret storage (in-memory, Consul, file, postgres, and more) Dynamic secrets Leasing, renewal,](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5c2f24b59e275ef4fa957/html5/thumbnails/36.jpg)
vault write postgresql/roles/production name=production
Success! Data written to: postgresql/roles/production
secure master \
![Page 37: Vault - GOTO ConferencePractical security Modern data center friendly VAULT FEATURES Secure secret storage (in-memory, Consul, file, postgres, and more) Dynamic secrets Leasing, renewal,](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5c2f24b59e275ef4fa957/html5/thumbnails/37.jpg)
Key Valuelease_id postgresql/creds/production/2d483e34-2d82-476...lease_duration 3600lease_renewabletruepassword 80e6ffa5-d6e9-beb1-e630-9af0c41299bbusername vault-root-1432058168-8081
secure master vault read postgresql/creds/production
![Page 38: Vault - GOTO ConferencePractical security Modern data center friendly VAULT FEATURES Secure secret storage (in-memory, Consul, file, postgres, and more) Dynamic secrets Leasing, renewal,](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5c2f24b59e275ef4fa957/html5/thumbnails/38.jpg)
Key Valuelease_id postgresql/creds/production/a99b952e-222c-6eb...lease_duration 3600lease_renewabletrueusername vault-root-1432058254-7887password 17a21ba7-8726-97e4-2088-80b7a756702b
secure master vault read postgresql/creds/production
![Page 39: Vault - GOTO ConferencePractical security Modern data center friendly VAULT FEATURES Secure secret storage (in-memory, Consul, file, postgres, and more) Dynamic secrets Leasing, renewal,](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5c2f24b59e275ef4fa957/html5/thumbnails/39.jpg)
DYNAMIC SECRETS
Pluggable Backends
AWS, Consul, PostgreSQL, MySQL, Transit, Generic
Grow support over time
![Page 40: Vault - GOTO ConferencePractical security Modern data center friendly VAULT FEATURES Secure secret storage (in-memory, Consul, file, postgres, and more) Dynamic secrets Leasing, renewal,](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5c2f24b59e275ef4fa957/html5/thumbnails/40.jpg)
LEASING, RENEWAL, AND REVOCATION
Every Secret has a Lease*
Secrets are revoked at the end of the lease unless renewed
Secrets may be revoked early by operators
“Break Glass” procedure
Dynamic Secrets make leases enforceable
Not possible for arbitrary secrets
Not possible for transit backend
![Page 41: Vault - GOTO ConferencePractical security Modern data center friendly VAULT FEATURES Secure secret storage (in-memory, Consul, file, postgres, and more) Dynamic secrets Leasing, renewal,](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5c2f24b59e275ef4fa957/html5/thumbnails/41.jpg)
AUDITING
Pluggable Audit Backends
Request and Response Logging
Prioritizes Safety over Availability
Secrets Hashed in Audits
Searchable, but not reversible
![Page 42: Vault - GOTO ConferencePractical security Modern data center friendly VAULT FEATURES Secure secret storage (in-memory, Consul, file, postgres, and more) Dynamic secrets Leasing, renewal,](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5c2f24b59e275ef4fa957/html5/thumbnails/42.jpg)
RICH ACLS
Role Based Policies
Restrict access to “need to know”
Default Deny, must be explicitly allowed
![Page 43: Vault - GOTO ConferencePractical security Modern data center friendly VAULT FEATURES Secure secret storage (in-memory, Consul, file, postgres, and more) Dynamic secrets Leasing, renewal,](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5c2f24b59e275ef4fa957/html5/thumbnails/43.jpg)
FLEXIBLE AUTH
Pluggable Backends
Tokens, GitHub, AppID, User/Pass, TLS Certs
Machine-Oriented vs Operator-Oriented
![Page 44: Vault - GOTO ConferencePractical security Modern data center friendly VAULT FEATURES Secure secret storage (in-memory, Consul, file, postgres, and more) Dynamic secrets Leasing, renewal,](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5c2f24b59e275ef4fa957/html5/thumbnails/44.jpg)
HIGH AVAILABILITY
Consul used for leader election
Active/Standby
Automatic failover
![Page 45: Vault - GOTO ConferencePractical security Modern data center friendly VAULT FEATURES Secure secret storage (in-memory, Consul, file, postgres, and more) Dynamic secrets Leasing, renewal,](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5c2f24b59e275ef4fa957/html5/thumbnails/45.jpg)
UNSEALING THE VAULT
Data in Vault encrypted
Vault requires encryption key
Must be provided online
![Page 46: Vault - GOTO ConferencePractical security Modern data center friendly VAULT FEATURES Secure secret storage (in-memory, Consul, file, postgres, and more) Dynamic secrets Leasing, renewal,](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5c2f24b59e275ef4fa957/html5/thumbnails/46.jpg)
Sealed: trueKey Shares: 10Key Threshold: 7Unseal Progress: 6
High-Availability Enabled: false
secure master vault status
![Page 47: Vault - GOTO ConferencePractical security Modern data center friendly VAULT FEATURES Secure secret storage (in-memory, Consul, file, postgres, and more) Dynamic secrets Leasing, renewal,](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5c2f24b59e275ef4fa957/html5/thumbnails/47.jpg)
Key (will be hidden):
secure master vault unseal
![Page 48: Vault - GOTO ConferencePractical security Modern data center friendly VAULT FEATURES Secure secret storage (in-memory, Consul, file, postgres, and more) Dynamic secrets Leasing, renewal,](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5c2f24b59e275ef4fa957/html5/thumbnails/48.jpg)
Key (will be hidden):
Sealed: falseKey Shares: 10Key Threshold: 7Unseal Progress: 0
secure master vault unseal
![Page 49: Vault - GOTO ConferencePractical security Modern data center friendly VAULT FEATURES Secure secret storage (in-memory, Consul, file, postgres, and more) Dynamic secrets Leasing, renewal,](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5c2f24b59e275ef4fa957/html5/thumbnails/49.jpg)
WATCHING THE WATCHMEN
Master Key is the “key to the kingdom”
All data could be decrypted
Protect against insider attack
Two-Man Rule
![Page 50: Vault - GOTO ConferencePractical security Modern data center friendly VAULT FEATURES Secure secret storage (in-memory, Consul, file, postgres, and more) Dynamic secrets Leasing, renewal,](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5c2f24b59e275ef4fa957/html5/thumbnails/50.jpg)
SHAMIR SECRET SHARING
Protect Encrypt Key with Master Key
Split Master Key into N shares
T shares to recompute Master
Quorum of key holders required to unseal
Default N:5, T:3
![Page 51: Vault - GOTO ConferencePractical security Modern data center friendly VAULT FEATURES Secure secret storage (in-memory, Consul, file, postgres, and more) Dynamic secrets Leasing, renewal,](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5c2f24b59e275ef4fa957/html5/thumbnails/51.jpg)
SUMMARY
Solves the “Secret Sprawl Problem”
Protects against external threats (Cryptosystem)
Protects against internal threads (ACLs and Secret Sharing)
![Page 52: Vault - GOTO ConferencePractical security Modern data center friendly VAULT FEATURES Secure secret storage (in-memory, Consul, file, postgres, and more) Dynamic secrets Leasing, renewal,](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5c2f24b59e275ef4fa957/html5/thumbnails/52.jpg)
BUILDING ON VAULT
![Page 53: Vault - GOTO ConferencePractical security Modern data center friendly VAULT FEATURES Secure secret storage (in-memory, Consul, file, postgres, and more) Dynamic secrets Leasing, renewal,](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5c2f24b59e275ef4fa957/html5/thumbnails/53.jpg)
SECURITY FOUNDATION
Base of Trust
Core Infrastructure
Flexible Architecture
Foundation for Security Infrastructure
![Page 54: Vault - GOTO ConferencePractical security Modern data center friendly VAULT FEATURES Secure secret storage (in-memory, Consul, file, postgres, and more) Dynamic secrets Leasing, renewal,](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5c2f24b59e275ef4fa957/html5/thumbnails/54.jpg)
PERSONALLY IDENTIFIABLE INFORMATION
PII information is everywhere
SSN, CC#, OAuth Tokens, etc.
Email? Physical address?
Security of storage?
Scalability of storage?
Audibility of access?
![Page 55: Vault - GOTO ConferencePractical security Modern data center friendly VAULT FEATURES Secure secret storage (in-memory, Consul, file, postgres, and more) Dynamic secrets Leasing, renewal,](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5c2f24b59e275ef4fa957/html5/thumbnails/55.jpg)
PII WITH VAULT
“transit” backend in Vault
Encrypt/Decrypt data in transit
Avoid secret management in client applications
Builds on Vault foundation
![Page 56: Vault - GOTO ConferencePractical security Modern data center friendly VAULT FEATURES Secure secret storage (in-memory, Consul, file, postgres, and more) Dynamic secrets Leasing, renewal,](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5c2f24b59e275ef4fa957/html5/thumbnails/56.jpg)
TRANSIT BACKEND
Web server has no encryption keys
Requires two-factor compromise (Vault + Datastore)
Decouples storage from encryption and access control
![Page 57: Vault - GOTO ConferencePractical security Modern data center friendly VAULT FEATURES Secure secret storage (in-memory, Consul, file, postgres, and more) Dynamic secrets Leasing, renewal,](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5c2f24b59e275ef4fa957/html5/thumbnails/57.jpg)
CERTIFICATE AUTHORITY
Vault acts as Internal CA
Vault stores root CA keys
Dynamic secrets - generates signed TLS keys
No more tears
![Page 58: Vault - GOTO ConferencePractical security Modern data center friendly VAULT FEATURES Secure secret storage (in-memory, Consul, file, postgres, and more) Dynamic secrets Leasing, renewal,](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5c2f24b59e275ef4fa957/html5/thumbnails/58.jpg)
MUTUAL TLS FOR SERVICES
Dynamic CA allows all services to generate keys
All internal service communication can use mutual TLS
End-to-End encryption inside the datacenter
![Page 59: Vault - GOTO ConferencePractical security Modern data center friendly VAULT FEATURES Secure secret storage (in-memory, Consul, file, postgres, and more) Dynamic secrets Leasing, renewal,](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5c2f24b59e275ef4fa957/html5/thumbnails/59.jpg)
VAULT IN PRACTIVE
![Page 60: Vault - GOTO ConferencePractical security Modern data center friendly VAULT FEATURES Secure secret storage (in-memory, Consul, file, postgres, and more) Dynamic secrets Leasing, renewal,](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5c2f24b59e275ef4fa957/html5/thumbnails/60.jpg)
USING VAULT
API Driven
JSON/HTTPS
Rich CLI for humans and scripts
Rich client libraries
![Page 61: Vault - GOTO ConferencePractical security Modern data center friendly VAULT FEATURES Secure secret storage (in-memory, Consul, file, postgres, and more) Dynamic secrets Leasing, renewal,](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5c2f24b59e275ef4fa957/html5/thumbnails/61.jpg)
APPLICATION INTEGRATION
Vault-aware
Native client libraries (go, ruby, rails, python, node, and more)
Secrets only in-memory
Safest but high-touch
![Page 62: Vault - GOTO ConferencePractical security Modern data center friendly VAULT FEATURES Secure secret storage (in-memory, Consul, file, postgres, and more) Dynamic secrets Leasing, renewal,](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5c2f24b59e275ef4fa957/html5/thumbnails/62.jpg)
CONSUL TEMPLATE INTEGRATION
Secrets templatized into application configuration
Vault is transparent
Lease management is automatic
Non-secret configuration still via Consul
![Page 63: Vault - GOTO ConferencePractical security Modern data center friendly VAULT FEATURES Secure secret storage (in-memory, Consul, file, postgres, and more) Dynamic secrets Leasing, renewal,](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5c2f24b59e275ef4fa957/html5/thumbnails/63.jpg)
{{ with $secret := vault "postgresql/creds/production" }}---production: adapter: postgresql database: postgres.service.consul username: {{$secret.Data.username}} password: {{$secret.Data.password}} pool: {{key "production/postgres/pool"}}{{ end }}
secure master cat secrets.yml.ctmpl
![Page 64: Vault - GOTO ConferencePractical security Modern data center friendly VAULT FEATURES Secure secret storage (in-memory, Consul, file, postgres, and more) Dynamic secrets Leasing, renewal,](https://reader034.vdocuments.us/reader034/viewer/2022042219/5ec5c2f24b59e275ef4fa957/html5/thumbnails/64.jpg)
REMEMBER TO RATE THIS SESSIONTWEET @SETHVARGO FOR QUESTIONS TOO