SlideShare une entreprise Scribd logo

Keybase Vault Auto-Unseal HashiTalks2020

Bas Meijer
Bas Meijer

Automatically unseal Vault clusters as a Keybase team. We want to automate the unseal of our on-premise Vault clusters. How can we securely distribute Shamir unseal keys to the team so we can unseal our Vault when we are on-call? How did we initialize our production system in a such way that 2 out 4 people are needed to "unseal the Vault"? We are using Keybase.io, and automated Vault on Consul cluster, with an Ansible/Vagrant environment to teach and practice. - Vagrant (tested on Mac) - Consul OSS - Vault OSS - Keybase (vault operator init, vault unseal, KBFS) - Ansible (Brian Shumate's roles, custom roles) - Packer (hardened Centos 7) @bbaassssiiee https://github.com/dockpack/keybase_unseal https://github.com/dockpack/vault_dojo

Technologie
1  sur  41
Télécharger pour lire hors ligne
 Bas Meijer Software Engineer/DevOps Coach HUG Amsterdam Co-Organizer Ansible Ambassador @bbaassssiiee 08:00 - 08:30 GMT  Friday, February 21 HashiTalks 2020 Friday, February 21 08:00 - 08:30 GMT
 @bbaassssiiee Keybase Auto Unseal - Bas Meijer HashiTalks 2020
 Purpose 1. Automate provisioning Vault on Consul cluster 2. Securely store the keys to the Vault kingdom 3. Enable team to unseal automatically @bbaassssiiee 3
 Structure of this presentation • Vault setup background info • Start Vault, Initialize, Unseal • Use the CLI, UI manually • Automate and/or Secure? • A Dilemma? • Open Source Reference Project @bbaassssiiee 4
Copyright © 2019 HashiCorp Starting the Vault Server Write a server configuration file Start the server: vault server -config=<config_file_path> Initialize the server (generate the unseal keys & an initial token) Unseal the Vault server Log in 5
Copyright © 2019 HashiCorp ▪ Initialization is the process of configuring the Vault: ‣ Encryption key gets generated ‣ Unseal keys are created ‣ Initial root token is setup Vault Server Initialization 6
Copyright © 2019 HashiCorp ▪ When a Vault server is started, it starts in sealed - doesn't know how to decrypt the data ▪ Unsealing is the process of constructing the master key necessary to read the decryption key to decrypt data ▪ Why? ‣ The data stored by Vault is encrypted with encryption key ‣ The encryption key is encrypted with master key ‣ The master key is NOT stored anywhere Seal / Unseal 17 7 When a Vault server is started, it starts in sealed mode - it doesn't know how to decrypt the data
Copyright © 2019 HashiCorp Shamir's Secret Sharing 12 Master Key Encryption Key Protected by a master key Key Shares (Unseal keys) Bob James Jennifer Pam Tom A threshold of unseal keys are required to unseal Vault so that the key to the kingdom won't fall into one person's hand! Stephan Kitty Rudolf Lars Marjan [*] 8
Copyright © 2019 HashiCorp 15 Initialize a Vault Server via CLI $ vault operator init Unseal Key 1: oL8fJP4KreJPbZWIgui340j5bNclip9zGVcYIzElsoF1 Unseal Key 2: Ke9VZlGzuVaf4HJB8c9KQR2j8rFTBALV1fD3hjE5pHoY Unseal Key 3: 4X6Ja/RpMwNabYzklZKxxXVznLQFGgSiVW7Wx8LWOkQn Unseal Key 4: dhI04g8dIQSXI11BIC6Gtwy/QaJWhVYoFYwKF9UI6axO Unseal Key 5: IQ2Ls630Sjd/oEQyTmwwpuFEUTiJP4FX2UI3uZMZoa+x Initial Root Token: s.arHAbYvyeZQH8StLc5OHtbt4 Vault initialized with 5 keys and a key threshold of 3. Please securely distribute the above keys. When the Vault is re-sealed, restarted, or stopped, you must provide at least 3 of these keys to unseal it again. ... Terminal 9
Copyright © 2019 HashiCorp Initializing Vault (1 of 2) 22 10
Copyright © 2019 HashiCorp Initializing Vault (2 of 2) 23 11
Copyright © 2019 HashiCorp Initializing Vault via UI (2 of 2) 14 12
 --- - name: initialize Hashicorp Vault delegate_to: "{{ groups.vault_instances[0] }}" run_once: true when: vault_status == '501' no_log: true environment: VAULT_ADDR: "https://{{ groups.vault_instances[0] }}:{{ vault_port }}" VAULT_CACERT: "{{ vault_tls_config_path }}/{{ vault_tls_ca_file }}" command: | vault operator init -key-shares={{ key_shares }} -key-threshold={{ key_threshold }} -format=json register: inited tags: - init ... teamshare.yml Initializing Vault via Ansible @bbaassssiiee 13
Copyright © 2019 HashiCorp Starting the Vault Server Write a server configuration file Start the server: vault server -config=<config_file_path> Initialize the server (generate the unseal keys & an initial token) Unseal the Vault server Log in 14
Copyright © 2019 HashiCorp Unsealing Vault 24 15
Copyright © 2019 HashiCorp 19 Unsealing via CLI (1 of 3) $ vault operator unseal Unseal Key (will be hidden): Key Value --- ----- Seal Type shamir Initialized true Sealed true Total Shares 5 Threshold 3 Unseal Progress 1/3 Unseal Nonce 3c0b2c85-6d22-54e4-87ce-249061dd9d1c Version 1.1.0 HA Enabled false Terminal 16
Copyright © 2019 HashiCorp 20 Unsealing via CLI (2 of 3) $ vault operator unseal Unseal Key (will be hidden): Key Value --- ----- Seal Type shamir Initialized true Sealed true Total Shares 5 Threshold 3 Unseal Progress 2/3 Unseal Nonce 3c0b2c85-6d22-54e4-87ce-249061dd9d1c Version 1.1.0 HA Enabled false Terminal 17
Copyright © 2019 HashiCorp 21 Unsealing via CLI (3 of 3) $ vault operator unseal Unseal Key (will be hidden): Key Value --- ----- Seal Type shamir Initialized true Sealed false Total Shares 5 Threshold 3 Version 1.1.0 Cluster Name vault-cluster-ad3f168d Cluster ID 9fcbb3bc-6d9b-98f5-3f2e-a0cf1040a260 HA Enabled false Terminal 18
Copyright © 2019 HashiCorp 21 Unsealing via CLI (3 of 3) $ vault operator unseal Unseal Key (will be hidden): Key Value --- ----- Seal Type shamir Initialized true Sealed false Total Shares 5 Threshold 3 Version 1.1.0 Cluster Name vault-cluster-ad3f168d Cluster ID 9fcbb3bc-6d9b-98f5-3f2e-a0cf1040a260 HA Enabled false Terminal Automate Unsealing with Ansible --- # teamshare - name: 'unseal Hashicorp Vault with teamshare unseal' when: vault_status == '503' and not shamir environment: VAULT_ADDR: "https://{{ groups.vault_instances[0] }}:{{ vault_port }}" VAULT_CACERT: "{{ vault_tls_config_path }}/{{ vault_tls_ca_file }}" command: "vault operator unseal {{ item }}" with_items: "{{ unseal_keys_hex }}" no_log: true tags: - unseal @bbaassssiiee19 Ansible Tip: Use this action attribute to avoid leaking sensitive information into syslog. no_log: true
Copyright © 2019 HashiCorp Starting the Vault Server Write a server configuration file Start the server: vault server -config=<config_file_path> Initialize the server (generate the unseal keys & an initial token) Unseal the Vault server Log in 20
Copyright © 2019 HashiCorp Vault Server Setup Workflow Recap Write a server configuration file Start the server: vault server -config=<config_file_path> Initialize the server (generate the unseal keys & an initial token) Unseal the Vault server Log in Initial Setup Only the the Vault server was restarted, or sealed intentionally Only when the Vault server was restarted, or sealed intentionally 21
Copyright © 2019 HashiCorp Challenge 4 Unsealing process requires a threshold of unseal keys No single person holds the key to the Vault kingdom! Unsealing is a manual process and become painful when you have multiple Vault clusters 22
Copyright © 2017 HashiCorp Auto-Unseal Vault Cloud based key Master key Encryption key ▪ Instead of using shared keys based on Shamir's Secret Sharing algorithm, use the trusted cloud-based encryption key to protect the master key ▪ Supported cloud services today: ‣ AliCloud KMS ‣ AWS KMS ‣ Azure Key Vault ‣ GCP Cloud KMS ▪ Use Transit secrets engine Shared keys Master key Encryption key 23
Copyright © 2019 HashiCorp ▪ Vault Enterprise integrates with HSM to take advantage of HSMs to provide three pieces of special functionality: ‣ Master Key Wrapping: Vault protects its master key by transiting it through the HSM for encryption rather than splitting into key shares ‣ Auto Unsealing: Vault stores its HSM-wrapped master key in storage, allowing for automatic unsealing ‣ Seal Wrapping to provide FIPS KeyStorage-conforming functionality for Critical Security Parameters HSM Support 16 24
Copyright © 2019 HashiCorp ▪ Protect encryption key with master key ▪ HSM encryption key protects master key in place of Shamir's Secret Sharing ▪ Communication with HSM via PKCS #11 API to decrypt the master key Master Key Wrapping and Auto-unseal 17 HSM key Master keys Encrypted keys PKCS11 25 PKCS#11
 Constraints 1. On-Premise Infrastructure 2. Independent from Cloud platform 3. Redundancy & Flexibility 4. Open Source/Free @bbaassssiiee 26
 Searching the internet... @bbaassssiiee 27
 @bbaassssiiee Integration ★ 6.4k ★ 41.7k ★ 9.8k ★ 19.5k ★ 18.5k★ 15k 28
@bbaassssiiee VagrantPacker Consul Vault dockpack/centos7 Image Dev Environment Clustered Storage Secrets Management 29
Keybase @bbaassssiiee • Every account has a public history • Keybase Team Trust • User-Friendly PGP Encryption • Encrypted File System KBFS • Keybase Command Line Keybase is secure messaging and file-sharing. 30
@bbaassssiiee Ansible ansible-galaxy install -r requirements.yml --- - src: brianshumate.consul - src: brianshumate.vault
 - src: leonallen22.ansible_role_keybase
 - src: dockpack.keybase_unseal • There is a lot of yaml in the galaxy • Automation after vault operator init • Automation before vault install 31
@bbaassssiiee Ansible ansible-vault encrypt /keybase/team/$KEYBASE_TEAM/vault.json export ANSIBLE_VAULT_PASSWORD_FILE=/keybase/team/$KEYBASE_TEAM/vault.pass Note: Keybase has a safe place for the ansible-vault password file: ansible-vault AES encrypted config files Transparant use in automation # This is the path where the encrypted JSON is shared. vault_credentials: "/keybase/team/{{ keybase_team }}/vault.json"
 include_vars: "{{ vault_credentials }}" 32
 --- - name: save Vault credentials as pretty JSON delegate_to: localhost run_once: true become: false no_log: true when: vault_status == '501' copy: dest: "{{ vault_credentials }}" content: "{{ inited.stdout|from_json|to_nice_json }}" mode: 0600 register: save_json tags: - init - name: encrypt pretty JSON with ansible-vault delegate_to: localhost run_once: true become: false no_log: true when: vault_status == '501' environment: # yamllint disable-line rule:line-length ANSIBLE_VAULT_PASSWORD_FILE: "{{ lookup('env','ANSIBLE_VAULT_PASSWORD_FILE') }}" command: "ansible-vault encrypt {{ vault_credentials }}" tags: - init ... kbfs.yml Encrypt^2 @bbaassssiiee 33
Keybase Auto Unseal 1.create accounts 2.create team 3.create sub-team for admins 4.add members 5.create vault.pass on KBFS 6.use role in playbook github.com/dockpack/keybase_unseal @bbaassssiiee 34
 Keybase 35
@bbaassssiiee --- shamir: true keybase_team: dockpack.vault kbt: - basmeijer - fbezema - ksatirli - ferhaty export KBT_INDEX=1 export KBT_INDEX=3 export KBT_INDEX=0 export KBT_INDEX=2 Shamir Secrets Keybase Encrypted Each Team Member sets their environment variable Define these groups_vars: 36
 --- - name: initialize Hashicorp Vault delegate_to: "{{ groups.vault_instances[0] }}" run_once: true when: vault_status == '501' no_log: true environment: VAULT_ADDR: "https://{{ groups.vault_instances[0] }}:{{ vault_port }}" VAULT_CACERT: "{{ vault_tls_config_path }}/{{ vault_tls_ca_file }}" command: | vault operator init -key-shares={{ key_shares }} -key-threshold={{ key_threshold }} -format=json -pgp-keys="keybase:{{ kbt[0] }},keybase:{{ kbt[1] }},keybase:{{ kbt[2] }},keybase:{{ kbt[3] }}" register: inited tags: - init ... shamir.yml Initialize Vault with Shamir Secrets Keybase Encrypted @bbaassssiiee 37
 --- # shamir - name: 'set kbt_index from env, rang in array of keybase team list kbt.' when: vault_status == '503' and shamir|bool delegate_to: localhost run_once: true set_fact: kbt_index: "{{ lookup('env','KBT_INDEX') }}" tags: - unseal - shamir ... teamshare unseal @bbaassssiiee Which Encrypted Shamir Unseal Key is mine? 38
 --- - name: 'decrypt unseal key based on kbt_index' when: vault_status == '503' and shamir|bool delegate_to: localhost become: false run_once: true no_log: true shell: | set -o pipefail ; ansible-vault view /keybase/team/{{ keybase_team }}/vault.json | jq -r .unseal_keys_b64[{{ kbt_index }}] | base64 --decode | gpg -d register: unseal_key tags: - unseal - shamir - name: 'unseal Hashicorp Vault with tags=unseal' when: vault_status == '503' and shamir|bool no_log: true environment: VAULT_ADDR: "https://{{ groups.vault_instances[0] }}:{{ vault_port }}" VAULT_CACERT: "{{ vault_tls_config_path }}/{{ vault_tls_ca_file }}" command: "vault operator unseal {{ unseal_key.stdout }}" tags: - unseal - shamir ... shamir unseal Unseal with my Encrypted Shamir Unseal Key @bbaassssiiee 39
? Vault Consul Shamir Keybase PGP KBFS Unseal Key Ansible Packer Vagrant Cloud HSM AWS KMS Azure Key Vault Ansible Vault Keybase Teams Blockchain IAM github.com/dockpack/vault_dojo vimeo.com/391099245 Playbook Role Root Token Unsealing Secure? Encryption learn.hashicorp.com https://github.com/dockpack/keybase_unseal/wiki @bbaassssiiee 40
@bbaassssiiee Demo  41

Recommandé

Ansible at work
Ansible at workAnsible at work
Ansible at workBas Meijer
 
HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩smalltown
 
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...Andrey Devyatkin
 
Nomad + Flatcar: a harmonious marriage of lightweights
Nomad + Flatcar: a harmonious marriage of lightweightsNomad + Flatcar: a harmonious marriage of lightweights
Nomad + Flatcar: a harmonious marriage of lightweightsIago López Galeiras
 
Vault 1.1: Secret Caching with Vault Agent and Other New Features
Vault 1.1: Secret Caching with Vault Agent and Other New FeaturesVault 1.1: Secret Caching with Vault Agent and Other New Features
Vault 1.1: Secret Caching with Vault Agent and Other New FeaturesMitchell Pronschinske
 
Dynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningDynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningSean Chittenden
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultJeff Horwitz
 
HashiCorp's Vault - The Examples
HashiCorp's Vault - The ExamplesHashiCorp's Vault - The Examples
HashiCorp's Vault - The ExamplesMichał Czeraszkiewicz
 

Recommandé

Ansible at work
Ansible at workAnsible at work
Ansible at workBas Meijer
 
HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩smalltown
 
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...Andrey Devyatkin
 
Nomad + Flatcar: a harmonious marriage of lightweights
Nomad + Flatcar: a harmonious marriage of lightweightsNomad + Flatcar: a harmonious marriage of lightweights
Nomad + Flatcar: a harmonious marriage of lightweightsIago López Galeiras
 
Vault 1.1: Secret Caching with Vault Agent and Other New Features
Vault 1.1: Secret Caching with Vault Agent and Other New FeaturesVault 1.1: Secret Caching with Vault Agent and Other New Features
Vault 1.1: Secret Caching with Vault Agent and Other New FeaturesMitchell Pronschinske
 
Dynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningDynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningSean Chittenden
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultJeff Horwitz
 
HashiCorp's Vault - The Examples
HashiCorp's Vault - The ExamplesHashiCorp's Vault - The Examples
HashiCorp's Vault - The ExamplesMichał Czeraszkiewicz
 
Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultAWS Germany
 
Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key ManagementAnthony Ikeda
 
A Hands-on Introduction on Terraform Best Concepts and Best Practices
A Hands-on Introduction on Terraform Best Concepts and Best Practices A Hands-on Introduction on Terraform Best Concepts and Best Practices
A Hands-on Introduction on Terraform Best Concepts and Best Practices Nebulaworks
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsDerek Downey
 
HashiCorp Vault Plugin Infrastructure
HashiCorp Vault Plugin InfrastructureHashiCorp Vault Plugin Infrastructure
HashiCorp Vault Plugin InfrastructureNicolas Corrarello
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault pptShrey Agarwal
 
Terraform - Taming Modern Clouds
Terraform - Taming Modern CloudsTerraform - Taming Modern Clouds
Terraform - Taming Modern CloudsNic Jackson
 
Unity Makes Strength
Unity Makes StrengthUnity Makes Strength
Unity Makes StrengthXavier Mertens
 
Containment without Containers: Running Windows Microservices on Nomad
Containment without Containers: Running Windows Microservices on NomadContainment without Containers: Running Windows Microservices on Nomad
Containment without Containers: Running Windows Microservices on NomadJusten Walker
 
Terraform in deployment pipeline
Terraform in deployment pipelineTerraform in deployment pipeline
Terraform in deployment pipelineAnton Babenko
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePassWill Schroeder
 
Autoscaling with hashi_corp_nomad
Autoscaling with hashi_corp_nomadAutoscaling with hashi_corp_nomad
Autoscaling with hashi_corp_nomadBram Vogelaar
 
AWS DevOps - Terraform, Docker, HashiCorp Vault
AWS DevOps - Terraform, Docker, HashiCorp VaultAWS DevOps - Terraform, Docker, HashiCorp Vault
AWS DevOps - Terraform, Docker, HashiCorp VaultGrzegorz Adamowicz
 
Designing High Availability for HashiCorp Vault in AWS
Designing High Availability for HashiCorp Vault in AWSDesigning High Availability for HashiCorp Vault in AWS
Designing High Availability for HashiCorp Vault in AWS☁ Bryan Krausen
 
Introducing Vault
Introducing VaultIntroducing Vault
Introducing VaultRamit Surana
 
Hashiconf EU 2019 - A Tour of Terraform 0.12
Hashiconf EU 2019 - A Tour of Terraform 0.12Hashiconf EU 2019 - A Tour of Terraform 0.12
Hashiconf EU 2019 - A Tour of Terraform 0.12Mitchell Pronschinske
 
How to Use HashiCorp Vault with Hiera 5 for Secret Management With Puppet
How to Use HashiCorp Vault with Hiera 5 for Secret Management With PuppetHow to Use HashiCorp Vault with Hiera 5 for Secret Management With Puppet
How to Use HashiCorp Vault with Hiera 5 for Secret Management With PuppetAmanda MacLeod
 
Agent Side Lookups with HashiCorp Vault and Puppet 6
Agent Side Lookups with HashiCorp Vault and Puppet 6Agent Side Lookups with HashiCorp Vault and Puppet 6
Agent Side Lookups with HashiCorp Vault and Puppet 6Mitchell Pronschinske
 
Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsWill Schroeder
 
An intro to Docker, Terraform, and Amazon ECS
An intro to Docker, Terraform, and Amazon ECSAn intro to Docker, Terraform, and Amazon ECS
An intro to Docker, Terraform, and Amazon ECSYevgeniy Brikman
 
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...Stenio Ferreira
 
London Hug 20/6 - Vault production
London Hug 20/6 - Vault productionLondon Hug 20/6 - Vault production
London Hug 20/6 - Vault productionLondon HashiCorp User Group
 

Contenu connexe

Tendances

Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultAWS Germany
 
Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key ManagementAnthony Ikeda
 
A Hands-on Introduction on Terraform Best Concepts and Best Practices
A Hands-on Introduction on Terraform Best Concepts and Best Practices A Hands-on Introduction on Terraform Best Concepts and Best Practices
A Hands-on Introduction on Terraform Best Concepts and Best Practices Nebulaworks
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsDerek Downey
 
HashiCorp Vault Plugin Infrastructure
HashiCorp Vault Plugin InfrastructureHashiCorp Vault Plugin Infrastructure
HashiCorp Vault Plugin InfrastructureNicolas Corrarello
 
Terraform - Taming Modern Clouds
Terraform - Taming Modern CloudsTerraform - Taming Modern Clouds
Terraform - Taming Modern CloudsNic Jackson
 
Containment without Containers: Running Windows Microservices on Nomad
Containment without Containers: Running Windows Microservices on NomadContainment without Containers: Running Windows Microservices on Nomad
Containment without Containers: Running Windows Microservices on NomadJusten Walker
 
Terraform in deployment pipeline
Terraform in deployment pipelineTerraform in deployment pipeline
Terraform in deployment pipelineAnton Babenko
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePassWill Schroeder
 
Autoscaling with hashi_corp_nomad
Autoscaling with hashi_corp_nomadAutoscaling with hashi_corp_nomad
Autoscaling with hashi_corp_nomadBram Vogelaar
 
AWS DevOps - Terraform, Docker, HashiCorp Vault
AWS DevOps - Terraform, Docker, HashiCorp VaultAWS DevOps - Terraform, Docker, HashiCorp Vault
AWS DevOps - Terraform, Docker, HashiCorp VaultGrzegorz Adamowicz
 
Designing High Availability for HashiCorp Vault in AWS
Designing High Availability for HashiCorp Vault in AWSDesigning High Availability for HashiCorp Vault in AWS
Designing High Availability for HashiCorp Vault in AWS☁ Bryan Krausen
 
Hashiconf EU 2019 - A Tour of Terraform 0.12
Hashiconf EU 2019 - A Tour of Terraform 0.12Hashiconf EU 2019 - A Tour of Terraform 0.12
Hashiconf EU 2019 - A Tour of Terraform 0.12Mitchell Pronschinske
 
How to Use HashiCorp Vault with Hiera 5 for Secret Management With Puppet
How to Use HashiCorp Vault with Hiera 5 for Secret Management With PuppetHow to Use HashiCorp Vault with Hiera 5 for Secret Management With Puppet
How to Use HashiCorp Vault with Hiera 5 for Secret Management With PuppetAmanda MacLeod
 
Agent Side Lookups with HashiCorp Vault and Puppet 6
Agent Side Lookups with HashiCorp Vault and Puppet 6Agent Side Lookups with HashiCorp Vault and Puppet 6
Agent Side Lookups with HashiCorp Vault and Puppet 6Mitchell Pronschinske
 
Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsWill Schroeder
 
An intro to Docker, Terraform, and Amazon ECS
An intro to Docker, Terraform, and Amazon ECSAn intro to Docker, Terraform, and Amazon ECS
An intro to Docker, Terraform, and Amazon ECSYevgeniy Brikman
 

Tendances (20)

Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s Vault
 
Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key Management
 
A Hands-on Introduction on Terraform Best Concepts and Best Practices
A Hands-on Introduction on Terraform Best Concepts and Best Practices A Hands-on Introduction on Terraform Best Concepts and Best Practices
A Hands-on Introduction on Terraform Best Concepts and Best Practices
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL Secrets
 
HashiCorp Vault Plugin Infrastructure
HashiCorp Vault Plugin InfrastructureHashiCorp Vault Plugin Infrastructure
HashiCorp Vault Plugin Infrastructure
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault ppt
 
Terraform - Taming Modern Clouds
Terraform - Taming Modern CloudsTerraform - Taming Modern Clouds
Terraform - Taming Modern Clouds
 
Unity Makes Strength
Unity Makes StrengthUnity Makes Strength
Unity Makes Strength
 
Containment without Containers: Running Windows Microservices on Nomad
Containment without Containers: Running Windows Microservices on NomadContainment without Containers: Running Windows Microservices on Nomad
Containment without Containers: Running Windows Microservices on Nomad
 
Terraform in deployment pipeline
Terraform in deployment pipelineTerraform in deployment pipeline
Terraform in deployment pipeline
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePass
 
Autoscaling with hashi_corp_nomad
Autoscaling with hashi_corp_nomadAutoscaling with hashi_corp_nomad
Autoscaling with hashi_corp_nomad
 
AWS DevOps - Terraform, Docker, HashiCorp Vault
AWS DevOps - Terraform, Docker, HashiCorp VaultAWS DevOps - Terraform, Docker, HashiCorp Vault
AWS DevOps - Terraform, Docker, HashiCorp Vault
 
Designing High Availability for HashiCorp Vault in AWS
Designing High Availability for HashiCorp Vault in AWSDesigning High Availability for HashiCorp Vault in AWS
Designing High Availability for HashiCorp Vault in AWS
 
Introducing Vault
Introducing VaultIntroducing Vault
Introducing Vault
 
Hashiconf EU 2019 - A Tour of Terraform 0.12
Hashiconf EU 2019 - A Tour of Terraform 0.12Hashiconf EU 2019 - A Tour of Terraform 0.12
Hashiconf EU 2019 - A Tour of Terraform 0.12
 
How to Use HashiCorp Vault with Hiera 5 for Secret Management With Puppet
How to Use HashiCorp Vault with Hiera 5 for Secret Management With PuppetHow to Use HashiCorp Vault with Hiera 5 for Secret Management With Puppet
How to Use HashiCorp Vault with Hiera 5 for Secret Management With Puppet
 
Agent Side Lookups with HashiCorp Vault and Puppet 6
Agent Side Lookups with HashiCorp Vault and Puppet 6Agent Side Lookups with HashiCorp Vault and Puppet 6
Agent Side Lookups with HashiCorp Vault and Puppet 6
 
Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerTools
 
An intro to Docker, Terraform, and Amazon ECS
An intro to Docker, Terraform, and Amazon ECSAn intro to Docker, Terraform, and Amazon ECS
An intro to Docker, Terraform, and Amazon ECS
 

Similaire à Keybase Vault Auto-Unseal HashiTalks2020

Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...Stenio Ferreira
 
Commit 2024 Secrets Management Made Easy
Commit 2024 Secrets Management Made EasyCommit 2024 Secrets Management Made Easy
Commit 2024 Secrets Management Made EasyAlfredo García Lavilla
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Hiding secrets in Vault
Hiding secrets in VaultHiding secrets in Vault
Hiding secrets in VaultNeven Rakonić
 
2018 - CertiFUNcation - Helmut Hummel: Hardening TYPO3
2018 - CertiFUNcation - Helmut Hummel: Hardening TYPO32018 - CertiFUNcation - Helmut Hummel: Hardening TYPO3
2018 - CertiFUNcation - Helmut Hummel: Hardening TYPO3TYPO3 CertiFUNcation
 
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Velocidex Enterprises
 
DEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud securityDEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud securityFelipe Prado
 
Delivering Secret Zero: Vault AppRole with Terraform and Chef
Delivering Secret Zero: Vault AppRole with Terraform and ChefDelivering Secret Zero: Vault AppRole with Terraform and Chef
Delivering Secret Zero: Vault AppRole with Terraform and ChefAmanda MacLeod
 
Defcon - Veil-Pillage
Defcon - Veil-PillageDefcon - Veil-Pillage
Defcon - Veil-PillageVeilFramework
 
Injecting Vault Secrets Into Kubernetes Pods via a Sidecar
Injecting Vault Secrets Into Kubernetes Pods via a SidecarInjecting Vault Secrets Into Kubernetes Pods via a Sidecar
Injecting Vault Secrets Into Kubernetes Pods via a SidecarMitchell Pronschinske
 
GDG Cloud Southlake 29 Jimmy Mesta OWASP Top 10 for Kubernetes
GDG Cloud Southlake 29 Jimmy Mesta OWASP Top 10 for KubernetesGDG Cloud Southlake 29 Jimmy Mesta OWASP Top 10 for Kubernetes
GDG Cloud Southlake 29 Jimmy Mesta OWASP Top 10 for KubernetesJames Anderson
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera SoftwareOWASP
 
Apache CloudStack Integration with HashiCorp Vault
Apache CloudStack Integration with HashiCorp VaultApache CloudStack Integration with HashiCorp Vault
Apache CloudStack Integration with HashiCorp VaultCloudOps2005
 
Kubernetes 101 VMworld 2019 workshop slides
Kubernetes 101 VMworld 2019 workshop slidesKubernetes 101 VMworld 2019 workshop slides
Kubernetes 101 VMworld 2019 workshop slidesSimone Morellato
 
Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...
Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...
Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...Tenchi Security
 
Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...
Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...
Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...Alexandre Sieira
 
The Container Security Checklist
The Container Security Checklist The Container Security Checklist
The Container Security Checklist LibbySchulze
 
Production ready kubernetes
Production ready kubernetesProduction ready kubernetes
Production ready kubernetesArnaud MAZIN
 
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key VaultAzure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key VaultTom Kerkhove
 

Similaire à Keybase Vault Auto-Unseal HashiTalks2020 (20)

Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
 
London Hug 20/6 - Vault production
London Hug 20/6 - Vault productionLondon Hug 20/6 - Vault production
London Hug 20/6 - Vault production
 
Commit 2024 Secrets Management Made Easy
Commit 2024 Secrets Management Made EasyCommit 2024 Secrets Management Made Easy
Commit 2024 Secrets Management Made Easy
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Hiding secrets in Vault
Hiding secrets in VaultHiding secrets in Vault
Hiding secrets in Vault
 
2018 - CertiFUNcation - Helmut Hummel: Hardening TYPO3
2018 - CertiFUNcation - Helmut Hummel: Hardening TYPO32018 - CertiFUNcation - Helmut Hummel: Hardening TYPO3
2018 - CertiFUNcation - Helmut Hummel: Hardening TYPO3
 
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3
 
DEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud securityDEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud security
 
Delivering Secret Zero: Vault AppRole with Terraform and Chef
Delivering Secret Zero: Vault AppRole with Terraform and ChefDelivering Secret Zero: Vault AppRole with Terraform and Chef
Delivering Secret Zero: Vault AppRole with Terraform and Chef
 
Defcon - Veil-Pillage
Defcon - Veil-PillageDefcon - Veil-Pillage
Defcon - Veil-Pillage
 
Injecting Vault Secrets Into Kubernetes Pods via a Sidecar
Injecting Vault Secrets Into Kubernetes Pods via a SidecarInjecting Vault Secrets Into Kubernetes Pods via a Sidecar
Injecting Vault Secrets Into Kubernetes Pods via a Sidecar
 
GDG Cloud Southlake 29 Jimmy Mesta OWASP Top 10 for Kubernetes
GDG Cloud Southlake 29 Jimmy Mesta OWASP Top 10 for KubernetesGDG Cloud Southlake 29 Jimmy Mesta OWASP Top 10 for Kubernetes
GDG Cloud Southlake 29 Jimmy Mesta OWASP Top 10 for Kubernetes
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software
 
Apache CloudStack Integration with HashiCorp Vault
Apache CloudStack Integration with HashiCorp VaultApache CloudStack Integration with HashiCorp Vault
Apache CloudStack Integration with HashiCorp Vault
 
Kubernetes 101 VMworld 2019 workshop slides
Kubernetes 101 VMworld 2019 workshop slidesKubernetes 101 VMworld 2019 workshop slides
Kubernetes 101 VMworld 2019 workshop slides
 
Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...
Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...
Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...
 
Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...
Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...
Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...
 
The Container Security Checklist
The Container Security Checklist The Container Security Checklist
The Container Security Checklist
 
Production ready kubernetes
Production ready kubernetesProduction ready kubernetes
Production ready kubernetes
 
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key VaultAzure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
 

Plus de Bas Meijer

Azure VM base images with Packer, Ansble and Vagrant
Azure VM base images with Packer, Ansble and VagrantAzure VM base images with Packer, Ansble and Vagrant
Azure VM base images with Packer, Ansble and VagrantBas Meijer
 
Help! My app is being featured.
Help! My app is being featured.Help! My app is being featured.
Help! My app is being featured.Bas Meijer
 
Testing with Ansible
Testing with AnsibleTesting with Ansible
Testing with AnsibleBas Meijer
 
Ansible, best practices
Ansible, best practicesAnsible, best practices
Ansible, best practicesBas Meijer
 
docker build with Ansible
docker build with Ansibledocker build with Ansible
docker build with AnsibleBas Meijer
 
Fake IT, until you make IT
Fake IT, until you make ITFake IT, until you make IT
Fake IT, until you make ITBas Meijer
 

Plus de Bas Meijer (7)

Packer demo
Packer demoPacker demo
Packer demo
 
Azure VM base images with Packer, Ansble and Vagrant
Azure VM base images with Packer, Ansble and VagrantAzure VM base images with Packer, Ansble and Vagrant
Azure VM base images with Packer, Ansble and Vagrant
 
Help! My app is being featured.
Help! My app is being featured.Help! My app is being featured.
Help! My app is being featured.
 
Testing with Ansible
Testing with AnsibleTesting with Ansible
Testing with Ansible
 
Ansible, best practices
Ansible, best practicesAnsible, best practices
Ansible, best practices
 
docker build with Ansible
docker build with Ansibledocker build with Ansible
docker build with Ansible
 
Fake IT, until you make IT
Fake IT, until you make ITFake IT, until you make IT
Fake IT, until you make IT
 

Dernier

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 

Dernier (20)

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 

Keybase Vault Auto-Unseal HashiTalks2020

  • 1.  Bas Meijer Software Engineer/DevOps Coach HUG Amsterdam Co-Organizer Ansible Ambassador @bbaassssiiee 08:00 - 08:30 GMT  Friday, February 21 HashiTalks 2020 Friday, February 21 08:00 - 08:30 GMT
  • 2.  @bbaassssiiee Keybase Auto Unseal - Bas Meijer HashiTalks 2020
  • 3.  Purpose 1. Automate provisioning Vault on Consul cluster 2. Securely store the keys to the Vault kingdom 3. Enable team to unseal automatically @bbaassssiiee 3
  • 4.  Structure of this presentation • Vault setup background info • Start Vault, Initialize, Unseal • Use the CLI, UI manually • Automate and/or Secure? • A Dilemma? • Open Source Reference Project @bbaassssiiee 4
  • 5. Copyright © 2019 HashiCorp Starting the Vault Server Write a server configuration file Start the server: vault server -config=<config_file_path> Initialize the server (generate the unseal keys & an initial token) Unseal the Vault server Log in 5
  • 6. Copyright © 2019 HashiCorp ▪ Initialization is the process of configuring the Vault: ‣ Encryption key gets generated ‣ Unseal keys are created ‣ Initial root token is setup Vault Server Initialization 6
  • 7. Copyright © 2019 HashiCorp ▪ When a Vault server is started, it starts in sealed - doesn't know how to decrypt the data ▪ Unsealing is the process of constructing the master key necessary to read the decryption key to decrypt data ▪ Why? ‣ The data stored by Vault is encrypted with encryption key ‣ The encryption key is encrypted with master key ‣ The master key is NOT stored anywhere Seal / Unseal 17 7 When a Vault server is started, it starts in sealed mode - it doesn't know how to decrypt the data
  • 8. Copyright © 2019 HashiCorp Shamir's Secret Sharing 12 Master Key Encryption Key Protected by a master key Key Shares (Unseal keys) Bob James Jennifer Pam Tom A threshold of unseal keys are required to unseal Vault so that the key to the kingdom won't fall into one person's hand! Stephan Kitty Rudolf Lars Marjan [*] 8
  • 9. Copyright © 2019 HashiCorp 15 Initialize a Vault Server via CLI $ vault operator init Unseal Key 1: oL8fJP4KreJPbZWIgui340j5bNclip9zGVcYIzElsoF1 Unseal Key 2: Ke9VZlGzuVaf4HJB8c9KQR2j8rFTBALV1fD3hjE5pHoY Unseal Key 3: 4X6Ja/RpMwNabYzklZKxxXVznLQFGgSiVW7Wx8LWOkQn Unseal Key 4: dhI04g8dIQSXI11BIC6Gtwy/QaJWhVYoFYwKF9UI6axO Unseal Key 5: IQ2Ls630Sjd/oEQyTmwwpuFEUTiJP4FX2UI3uZMZoa+x Initial Root Token: s.arHAbYvyeZQH8StLc5OHtbt4 Vault initialized with 5 keys and a key threshold of 3. Please securely distribute the above keys. When the Vault is re-sealed, restarted, or stopped, you must provide at least 3 of these keys to unseal it again. ... Terminal 9
  • 10. Copyright © 2019 HashiCorp Initializing Vault (1 of 2) 22 10
  • 11. Copyright © 2019 HashiCorp Initializing Vault (2 of 2) 23 11
  • 12. Copyright © 2019 HashiCorp Initializing Vault via UI (2 of 2) 14 12
  • 13.  --- - name: initialize Hashicorp Vault delegate_to: "{{ groups.vault_instances[0] }}" run_once: true when: vault_status == '501' no_log: true environment: VAULT_ADDR: "https://{{ groups.vault_instances[0] }}:{{ vault_port }}" VAULT_CACERT: "{{ vault_tls_config_path }}/{{ vault_tls_ca_file }}" command: | vault operator init -key-shares={{ key_shares }} -key-threshold={{ key_threshold }} -format=json register: inited tags: - init ... teamshare.yml Initializing Vault via Ansible @bbaassssiiee 13
  • 14. Copyright © 2019 HashiCorp Starting the Vault Server Write a server configuration file Start the server: vault server -config=<config_file_path> Initialize the server (generate the unseal keys & an initial token) Unseal the Vault server Log in 14
  • 15. Copyright © 2019 HashiCorp Unsealing Vault 24 15
  • 16. Copyright © 2019 HashiCorp 19 Unsealing via CLI (1 of 3) $ vault operator unseal Unseal Key (will be hidden): Key Value --- ----- Seal Type shamir Initialized true Sealed true Total Shares 5 Threshold 3 Unseal Progress 1/3 Unseal Nonce 3c0b2c85-6d22-54e4-87ce-249061dd9d1c Version 1.1.0 HA Enabled false Terminal 16
  • 17. Copyright © 2019 HashiCorp 20 Unsealing via CLI (2 of 3) $ vault operator unseal Unseal Key (will be hidden): Key Value --- ----- Seal Type shamir Initialized true Sealed true Total Shares 5 Threshold 3 Unseal Progress 2/3 Unseal Nonce 3c0b2c85-6d22-54e4-87ce-249061dd9d1c Version 1.1.0 HA Enabled false Terminal 17
  • 18. Copyright © 2019 HashiCorp 21 Unsealing via CLI (3 of 3) $ vault operator unseal Unseal Key (will be hidden): Key Value --- ----- Seal Type shamir Initialized true Sealed false Total Shares 5 Threshold 3 Version 1.1.0 Cluster Name vault-cluster-ad3f168d Cluster ID 9fcbb3bc-6d9b-98f5-3f2e-a0cf1040a260 HA Enabled false Terminal 18
  • 19. Copyright © 2019 HashiCorp 21 Unsealing via CLI (3 of 3) $ vault operator unseal Unseal Key (will be hidden): Key Value --- ----- Seal Type shamir Initialized true Sealed false Total Shares 5 Threshold 3 Version 1.1.0 Cluster Name vault-cluster-ad3f168d Cluster ID 9fcbb3bc-6d9b-98f5-3f2e-a0cf1040a260 HA Enabled false Terminal Automate Unsealing with Ansible --- # teamshare - name: 'unseal Hashicorp Vault with teamshare unseal' when: vault_status == '503' and not shamir environment: VAULT_ADDR: "https://{{ groups.vault_instances[0] }}:{{ vault_port }}" VAULT_CACERT: "{{ vault_tls_config_path }}/{{ vault_tls_ca_file }}" command: "vault operator unseal {{ item }}" with_items: "{{ unseal_keys_hex }}" no_log: true tags: - unseal @bbaassssiiee19 Ansible Tip: Use this action attribute to avoid leaking sensitive information into syslog. no_log: true
  • 20. Copyright © 2019 HashiCorp Starting the Vault Server Write a server configuration file Start the server: vault server -config=<config_file_path> Initialize the server (generate the unseal keys & an initial token) Unseal the Vault server Log in 20
  • 21. Copyright © 2019 HashiCorp Vault Server Setup Workflow Recap Write a server configuration file Start the server: vault server -config=<config_file_path> Initialize the server (generate the unseal keys & an initial token) Unseal the Vault server Log in Initial Setup Only the the Vault server was restarted, or sealed intentionally Only when the Vault server was restarted, or sealed intentionally 21
  • 22. Copyright © 2019 HashiCorp Challenge 4 Unsealing process requires a threshold of unseal keys No single person holds the key to the Vault kingdom! Unsealing is a manual process and become painful when you have multiple Vault clusters 22
  • 23. Copyright © 2017 HashiCorp Auto-Unseal Vault Cloud based key Master key Encryption key ▪ Instead of using shared keys based on Shamir's Secret Sharing algorithm, use the trusted cloud-based encryption key to protect the master key ▪ Supported cloud services today: ‣ AliCloud KMS ‣ AWS KMS ‣ Azure Key Vault ‣ GCP Cloud KMS ▪ Use Transit secrets engine Shared keys Master key Encryption key 23
  • 24. Copyright © 2019 HashiCorp ▪ Vault Enterprise integrates with HSM to take advantage of HSMs to provide three pieces of special functionality: ‣ Master Key Wrapping: Vault protects its master key by transiting it through the HSM for encryption rather than splitting into key shares ‣ Auto Unsealing: Vault stores its HSM-wrapped master key in storage, allowing for automatic unsealing ‣ Seal Wrapping to provide FIPS KeyStorage-conforming functionality for Critical Security Parameters HSM Support 16 24
  • 25. Copyright © 2019 HashiCorp ▪ Protect encryption key with master key ▪ HSM encryption key protects master key in place of Shamir's Secret Sharing ▪ Communication with HSM via PKCS #11 API to decrypt the master key Master Key Wrapping and Auto-unseal 17 HSM key Master keys Encrypted keys PKCS11 25 PKCS#11
  • 26.  Constraints 1. On-Premise Infrastructure 2. Independent from Cloud platform 3. Redundancy & Flexibility 4. Open Source/Free @bbaassssiiee 26
  • 28.  @bbaassssiiee Integration ★ 6.4k ★ 41.7k ★ 9.8k ★ 19.5k ★ 18.5k★ 15k 28
  • 29. @bbaassssiiee VagrantPacker Consul Vault dockpack/centos7 Image Dev Environment Clustered Storage Secrets Management 29
  • 30. Keybase @bbaassssiiee • Every account has a public history • Keybase Team Trust • User-Friendly PGP Encryption • Encrypted File System KBFS • Keybase Command Line Keybase is secure messaging and file-sharing. 30
  • 31. @bbaassssiiee Ansible ansible-galaxy install -r requirements.yml --- - src: brianshumate.consul - src: brianshumate.vault
 - src: leonallen22.ansible_role_keybase
 - src: dockpack.keybase_unseal • There is a lot of yaml in the galaxy • Automation after vault operator init • Automation before vault install 31
  • 32. @bbaassssiiee Ansible ansible-vault encrypt /keybase/team/$KEYBASE_TEAM/vault.json export ANSIBLE_VAULT_PASSWORD_FILE=/keybase/team/$KEYBASE_TEAM/vault.pass Note: Keybase has a safe place for the ansible-vault password file: ansible-vault AES encrypted config files Transparant use in automation # This is the path where the encrypted JSON is shared. vault_credentials: "/keybase/team/{{ keybase_team }}/vault.json"
 include_vars: "{{ vault_credentials }}" 32
  • 33.  --- - name: save Vault credentials as pretty JSON delegate_to: localhost run_once: true become: false no_log: true when: vault_status == '501' copy: dest: "{{ vault_credentials }}" content: "{{ inited.stdout|from_json|to_nice_json }}" mode: 0600 register: save_json tags: - init - name: encrypt pretty JSON with ansible-vault delegate_to: localhost run_once: true become: false no_log: true when: vault_status == '501' environment: # yamllint disable-line rule:line-length ANSIBLE_VAULT_PASSWORD_FILE: "{{ lookup('env','ANSIBLE_VAULT_PASSWORD_FILE') }}" command: "ansible-vault encrypt {{ vault_credentials }}" tags: - init ... kbfs.yml Encrypt^2 @bbaassssiiee 33
  • 34. Keybase Auto Unseal 1.create accounts 2.create team 3.create sub-team for admins 4.add members 5.create vault.pass on KBFS 6.use role in playbook github.com/dockpack/keybase_unseal @bbaassssiiee 34
  • 36. @bbaassssiiee --- shamir: true keybase_team: dockpack.vault kbt: - basmeijer - fbezema - ksatirli - ferhaty export KBT_INDEX=1 export KBT_INDEX=3 export KBT_INDEX=0 export KBT_INDEX=2 Shamir Secrets Keybase Encrypted Each Team Member sets their environment variable Define these groups_vars: 36
  • 37.  --- - name: initialize Hashicorp Vault delegate_to: "{{ groups.vault_instances[0] }}" run_once: true when: vault_status == '501' no_log: true environment: VAULT_ADDR: "https://{{ groups.vault_instances[0] }}:{{ vault_port }}" VAULT_CACERT: "{{ vault_tls_config_path }}/{{ vault_tls_ca_file }}" command: | vault operator init -key-shares={{ key_shares }} -key-threshold={{ key_threshold }} -format=json -pgp-keys="keybase:{{ kbt[0] }},keybase:{{ kbt[1] }},keybase:{{ kbt[2] }},keybase:{{ kbt[3] }}" register: inited tags: - init ... shamir.yml Initialize Vault with Shamir Secrets Keybase Encrypted @bbaassssiiee 37
  • 38.  --- # shamir - name: 'set kbt_index from env, rang in array of keybase team list kbt.' when: vault_status == '503' and shamir|bool delegate_to: localhost run_once: true set_fact: kbt_index: "{{ lookup('env','KBT_INDEX') }}" tags: - unseal - shamir ... teamshare unseal @bbaassssiiee Which Encrypted Shamir Unseal Key is mine? 38
  • 39.  --- - name: 'decrypt unseal key based on kbt_index' when: vault_status == '503' and shamir|bool delegate_to: localhost become: false run_once: true no_log: true shell: | set -o pipefail ; ansible-vault view /keybase/team/{{ keybase_team }}/vault.json | jq -r .unseal_keys_b64[{{ kbt_index }}] | base64 --decode | gpg -d register: unseal_key tags: - unseal - shamir - name: 'unseal Hashicorp Vault with tags=unseal' when: vault_status == '503' and shamir|bool no_log: true environment: VAULT_ADDR: "https://{{ groups.vault_instances[0] }}:{{ vault_port }}" VAULT_CACERT: "{{ vault_tls_config_path }}/{{ vault_tls_ca_file }}" command: "vault operator unseal {{ unseal_key.stdout }}" tags: - unseal - shamir ... shamir unseal Unseal with my Encrypted Shamir Unseal Key @bbaassssiiee 39
  • 40. ? Vault Consul Shamir Keybase PGP KBFS Unseal Key Ansible Packer Vagrant Cloud HSM AWS KMS Azure Key Vault Ansible Vault Keybase Teams Blockchain IAM github.com/dockpack/vault_dojo vimeo.com/391099245 Playbook Role Root Token Unsealing Secure? Encryption learn.hashicorp.com https://github.com/dockpack/keybase_unseal/wiki @bbaassssiiee 40