The document discusses managing secrets securely. It covers storing secrets in a secured key-value store with encryption, access controls, and auditing. Dynamic secrets are generated on-demand without stored root passwords. The key-value store supports generic secrets, dynamic secrets, versions, rollbacks, and integrating with systems like AWS, databases, and SSH.
28. Certs
Passwords API Tokens
Sensitive data
Secured KV Store
Good PKI
REST API
Encryption as a service
Storage backends
Active/Standby
UI
Dynamic secrets
29. Certs
Passwords API Tokens
Sensitive data
Secured KV Store
Dynamic secrets
Good PKI
ACL Policies
REST API
Auth backends
Audit
Encryption as a service
Storage backends
Active/Standby
UI
36. The Triple AAA
Authn
Login
secret
Circle of Trust
Injected on
Deploy
MachineWorkflow
/var/run/secrets/kubernetes.io/
serviceaccount/token
AuthzAuthn Audit
Token
53. Shamir secret sharing
Data is encrypted in rest
Protect encryption key with Master key
Split master key to N shares
Quorum of N shares is need to unseal
Master Key
Unseal Keys
Encryption Key
Storage backend
Read/Write