Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Vault 101

76 vues

Publié le

Hashicorp Vault - Manage Secrets and Protect Sensitive Data.
Vault is becoming the most popular tool to manage, secure, store and tightly control access to tokens, passwords, certificates, encryption keys for protecting secrets and other sensitive data using a UI, CLI, or HTTP API.

In this talk we will know the most powerful features of Hashicorp in both versions (OpenSource & Enterprise) and how we can implement a solution in our dynamic infrastructure.

Publié dans : Technologie
  • Soyez le premier à commenter

Vault 101

  1. 1. Partner of: @HazzimIO Manage Secrets and Protect Sensitive Data 
  2. 2. Partner of: @HazzimIO HashiCorp is a software company  based in San Francisco, California. HashiCorp provides open-source tools and commercial products that enable developers, operators and security professionals to provision, secure, run and connect cloud-computing infrastructure. Founded in 2012 by Mitchell Hashimoto and Armon Dadgar
  3. 3. Partner of: @HazzimIO
  4. 4. Partner of: @HazzimIO
  5. 5. Partner of: @HazzimIO Vault Open Source addresses the technical complexity of managing secrets across distributed cloud infrastructure Vault Enterprise addresses the organizational complexity of large organizations with governance and multi- datacenter features
  6. 6. Partner of: @HazzimIO Vault tightly controls access to secrets and encryption keys by authenticating against trusted sources of identity such as Active Directory, LDAP, Kubernetes, CloudFoundry, and cloud platforms. Vault enables fine grained authorization of which users and applications are permitted access to secrets and keys How Vault Works
  7. 7. Partner of: @HazzimIO Concepts
  8. 8. Partner of: @HazzimIO •When a Vault server is started, it starts in a sealed state.  •The only possible operations are to unseal the Vault and check the status of the unseal. •Unsealing is the process of constructing the master key necessary to read the decryption key to decrypt the data, allowing access to the Vault. SEAL/UNSEAL
  9. 9. Partner of: @HazzimIO • The data stored by Vault is stored encrypted. • Vault needs the encryption key in order to decrypt the data. • The encryption key is also stored with the data, but encrypted with another encryption key known as the master key. SEAL/UNSEAL
  10. 10. Partner of: @HazzimIO • The master key isn't stored anywhere. • Vault must decrypt the encryption key which requires the master key. • Unsealing is the process of reconstructing this master key. SEAL/UNSEAL
  11. 11. Partner of: @HazzimIO • Instead of distributing this master key as a single key to an operator. • Vault uses an algorithm known as Shamir's Secret Sharing to split the key into shards • A certain threshold of shards is required to reconstruct the master key (3 of 5) SEAL/UNSEAL
  12. 12. Partner of: @HazzimIO SEAL/UNSEAL Key shares Master key Encryption key
  13. 13. Partner of: @HazzimIO • With every dynamic secret and service type authentication token, Vault creates a lease: metadata containing information such as a time duration, renewability, and more. • Vault promises that the data will be valid for the given duration, or Time To Live (TTL). Lease, Renew, and Revoke
  14. 14. Partner of: @HazzimIO •Authentication in Vault is the process by which user or machine supplied information is verified against an internal or external system. •Vault supports multiple auth methods •GitHub •LDAP •AppRole •Username/Password •Cloud providers (AWS/GCP/Azure and more) Authentication
  15. 15. Partner of: @HazzimIO • Tokens are the core method for authentication within Vault. Tokens can be used directly or auth methods can be used to dynamically generate tokens based on external identities. • Within Vault, tokens map to information. The most important information mapped to a token is a set of one or more attached policies. • These policies control what the token holder is allowed to do within Vault. TOKENS
  16. 16. Partner of: @HazzimIO • Everything in Vault is path based, and policies are no exception. Policies provide a declarative way to grant or forbid access to certain paths and operations in Vault. • Policies are deny by default, so an empty policy grants no permission in the system. POLICIES
  17. 17. Partner of: @HazzimIO # Permit reading only "secret/foo". An attached token cannot read "secret/food" # or "secret/foo/bar". path "secret/foo" { capabilities = ["read"] } # Permit reading everything under "secret/bar". An attached token could read # "secret/bar/zip", "secret/bar/zip/zap", but not "secret/bars/zip". path "secret/bar/*" { capabilities = ["read"] } # Permit reading everything prefixed with "zip-". An attached token could read # "secret/zip-zap" or "secret/zip-zap/zong", but not "secret/zip/zap path "secret/zip-*" { capabilities = ["read"] } POLICIES
  18. 18. Partner of: @HazzimIO • CLI $ vault token revoke “<token>" • API $ curl --request POST --header "X-Vault-Token: ..." --data '{"token": "<token>"}' https://vault.hashicorp.rocks/v1/auth/token/revoke Revoke root token
  19. 19. Partner of: @HazzimIO • Vault supports a multi-server mode for high availability. • High availability mode is automatically enabled when using a data store that supports it. • Currently there are several storage backends that support high availability mode, including Consul, ZooKeeper and etcd. High Availability Mode (HA)
  20. 20. Partner of: @HazzimIO • To be highly available, one of the Vault server nodes grabs a lock within the data store. • The successful server node then becomes the active node; all other nodes become standby nodes. • Due to this architecture, HA does not enable increased scalability. • In general, the bottleneck of Vault is the data store itself, not Vault core. High Availability Mode (HA)
  21. 21. Partner of: @HazzimIO USE CASES
  22. 22. Partner of: @HazzimIO • At a bare minimum, Vault can be used for the storage of any secrets. For example, Vault would be a fantastic way to store sensitive environment variables, database credentials, API keys, etc. General Secret Storage
  23. 23. Partner of: @HazzimIO • While this overlaps with "General Secret Storage", Vault is a good mechanism for storing credentials that employees share to access web services. • The audit log mechanism lets you know what secrets an employee accessed and when an employee leaves, it is easier to roll keys and understand which keys have and haven't been rolled. Employee Credential Storage
  24. 24. Partner of: @HazzimIO • The "dynamic secrets" feature of Vault is ideal for scripts: an AWS access key can be generated for the duration of a script, then revoked. • The keypair will not exist before or after the script runs, and the creation of the keys are completely logged API Key Generation for Scripts
  25. 25. Partner of: @HazzimIO • In addition to being able to store secrets, Vault can be used to encrypt/ decrypt data that is stored elsewhere. • The primary use of this is to allow applications to encrypt their data while still storing it in the primary data store. • The benefit of this is that developers do not need to worry about how to properly encrypt data. • The responsibility of encryption is on Vault and the security team managing it, and developers just encrypt/decrypt data as needed. Data Encryption
  26. 26. Partner of: @HazzimIO • Audit devices are the components in Vault that keep a detailed log of all requests and response to Vault. • Because every operation with Vault is an API request/response, the audit log contains every authenticated interaction with Vault, including errors. • Multiple audit devices can be enabled and Vault will send the audit logs to both. Audit Devices
  27. 27. Partner of: @HazzimIO • Sensitive information • The audit logs contain the full request and response objects for every interaction with Vault. • The request and response can be matched utilizing a unique identifier assigned to each request. • The data in the request and the data in the response (including secrets and authentication tokens) will be hashed with a salt using HMAC-SHA256. Audit devices
  28. 28. Partner of: @HazzimIO • File • The file audit device writes audit logs to a file. This is a very simple audit device: it appends logs to a file. • Syslog • The syslog audit device writes audit logs to syslog. • Socket • The socket audit device writes to a TCP, UDP, or UNIX socket. Audit Devices
  29. 29. Partner of: @HazzimIO Enterprise features
  30. 30. Partner of: @HazzimIO • The core unit of Vault replication is a cluster, which is comprised of a collection of Vault nodes (an active and its corresponding HA nodes). • Multiple Vault clusters communicate in a one-to-many near real-time flow. • Replication operates on a leader/follower model, wherein a leader cluster (primary) is linked to a series of follower secondary clusters. Replication
  31. 31. Partner of: @HazzimIO • The primary cluster acts as the system of record and asynchronously replicates most Vault data. • All communication between primaries and secondaries is end-to-end encrypted with mutually-authenticated TLS sessions, setup via replication tokens which are exchanged during bootstrapping. • What data is replicated between the primary and secondary depends on the type of replication that is configured. Replication
  32. 32. Partner of: @HazzimIO • Performance Replication: In performance replication, secondaries keep track of their own tokens and leases but share the underlying configuration, policies, and supporting secrets. • Disaster Recovery (DR) Replication: In disaster recovery (or DR) replication, secondaries share the same underlying configuration, policy, and supporting secrets infrastructure as the primary. Performance Replication and Disaster Recovery (DR) Replication
  33. 33. Partner of: @HazzimIO •Feature that takes advantage of HSMs to provide three pieces of special functionality: •Master Key Wrapping: Vault protects its master key by transiting it through the HSM for encryption rather than splitting into key shares •Automatic Unsealing: Vault stores its HSM-wrapped master key in storage, allowing for automatic unsealing •Seal Wrapping to provide FIPS KeyStorage-conforming functionality for Critical Security Parameters HSM Support
  34. 34. Partner of: @HazzimIO • Many organizations implement Vault as a "service", providing centralized management for teams within an organization while ensuring that those teams operate within isolated environments known as tenants. • There are two common challenges when implementing this architecture in Vault. Namespaces
  35. 35. Partner of: @HazzimIO • Frequently teams within a VaaS environment require strong isolation from other users in their policies, secrets, and identities. • Tenant isolation is typically a result of compliance regulations such as GDPR, though it may be necessitated by corporate or organizational infosec requirements. Tenant Isolation
  36. 36. Partner of: @HazzimIO • As new tenants are added, there is an additional human cost in the management overhead for teams.  • Given that tenants will likely have different policies and request changes at a different rate, managing a multi-tenant environment can become very difficult for a single team as the number of tenants within that organization grow. Self-Management
  37. 37. Partner of: @HazzimIO • Vault Enterprise has support for Multi-factor Authentication (MFA), using different authentication types. MFA is built on top of the Identity system of Vault. • MFA in Vault can be of the following types. • Time-based one-time password • Okta • Duo • PingID MFA Support
  38. 38. Contact • @DevOpsGDL • facebook.com/groups/devopsgdl/ • meetup.com/devopsgdl/ • devopsgdl@gmail.com
  39. 39. Contact • hazzim.anaya@digitalonus • hazzim.anaya@gmail.com • @HazzimIO