Submit Search
Upload
London Hug 20/6 - Vault production
•
Download as PPTX, PDF
•
2 likes
•
318 views
L
London HashiCorp User Group
Follow
Lee Briggs presents Vault in Production
Read less
Read more
Technology
Report
Share
Report
Share
1 of 23
Download now
Recommended
London Hug 20/6 - Clustering RabbitMQ using Consul
London Hug 20/6 - Clustering RabbitMQ using Consul
London HashiCorp User Group
London HUG 19/5 - Kubernetes and vault
London HUG 19/5 - Kubernetes and vault
London HashiCorp User Group
Hug #9 who's keeping your secrets
Hug #9 who's keeping your secrets
Cameron More
Kubernetes Security
Kubernetes Security
inovex GmbH
Your secret's safe with me
Your secret's safe with me
Liz Rice
Your (container) secret's safe with me
Your (container) secret's safe with me
Liz Rice
Container secrets talk from DevSecCon
Container secrets talk from DevSecCon
Liz Rice
CI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in Kubernetes
Sysdig
Recommended
London Hug 20/6 - Clustering RabbitMQ using Consul
London Hug 20/6 - Clustering RabbitMQ using Consul
London HashiCorp User Group
London HUG 19/5 - Kubernetes and vault
London HUG 19/5 - Kubernetes and vault
London HashiCorp User Group
Hug #9 who's keeping your secrets
Hug #9 who's keeping your secrets
Cameron More
Kubernetes Security
Kubernetes Security
inovex GmbH
Your secret's safe with me
Your secret's safe with me
Liz Rice
Your (container) secret's safe with me
Your (container) secret's safe with me
Liz Rice
Container secrets talk from DevSecCon
Container secrets talk from DevSecCon
Liz Rice
CI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in Kubernetes
Sysdig
Jörg Schad - NO ONE PUTS Java IN THE CONTAINER - Codemotion Milan 2017
Jörg Schad - NO ONE PUTS Java IN THE CONTAINER - Codemotion Milan 2017
Codemotion
What Prometheus means for monitoring vendors
What Prometheus means for monitoring vendors
Sysdig
Jacopo Nardiello - Monitoring Cloud-Native applications with Prometheus - Cod...
Jacopo Nardiello - Monitoring Cloud-Native applications with Prometheus - Cod...
Codemotion
Microservices: 5 Things I Wish I'd Known - Code Motion Milan 2017
Microservices: 5 Things I Wish I'd Known - Code Motion Milan 2017
Vincent Kok
Vert.x for Microservices Architecture
Vert.x for Microservices Architecture
Idan Fridman
Istio Playground
Istio Playground
QAware GmbH
Kubernetes security
Kubernetes security
Saiyam Pathak
Security threats with Kubernetes - Igor Khoroshchenko
Security threats with Kubernetes - Igor Khoroshchenko
Kuberton
Sysdig monitor - a brief introduction
Sysdig monitor - a brief introduction
Daniel Kerwin
Criteo meetup - S.R.E Tech Talk
Criteo meetup - S.R.E Tech Talk
Pierre Mavro
2018년 3월 정기 세미나 - March 2018 Ops Meetup 후기
2018년 3월 정기 세미나 - March 2018 Ops Meetup 후기
OpenStack Korea Community
The Sysdig Secure DevOps Platform
The Sysdig Secure DevOps Platform
Ashnikbiz
BRISK_Network_Pentest_
BRISK_Network_Pentest_
BriskInfosec Solutions
Load Balancing in the Cloud using Nginx & Kubernetes
Load Balancing in the Cloud using Nginx & Kubernetes
Lee Calcote
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Michael Man
The top 5 Kubernetes metrics to monitor
The top 5 Kubernetes metrics to monitor
Sysdig
HashiTLS Demystifying Security Certs
HashiTLS Demystifying Security Certs
Mitchell Pronschinske
Microservices with Netflix OSS & Spring Cloud - Arnaud Cogoluègnes
Microservices with Netflix OSS & Spring Cloud - Arnaud Cogoluègnes
distributed matters
ZooKeeper - wait free protocol for coordinating processes
ZooKeeper - wait free protocol for coordinating processes
Julia Proskurnia
How to Monitor Microservices
How to Monitor Microservices
Sysdig
Containerizing your Security Operations Center
Containerizing your Security Operations Center
Jimmy Mesta
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software
OWASP
More Related Content
What's hot
Jörg Schad - NO ONE PUTS Java IN THE CONTAINER - Codemotion Milan 2017
Jörg Schad - NO ONE PUTS Java IN THE CONTAINER - Codemotion Milan 2017
Codemotion
What Prometheus means for monitoring vendors
What Prometheus means for monitoring vendors
Sysdig
Jacopo Nardiello - Monitoring Cloud-Native applications with Prometheus - Cod...
Jacopo Nardiello - Monitoring Cloud-Native applications with Prometheus - Cod...
Codemotion
Microservices: 5 Things I Wish I'd Known - Code Motion Milan 2017
Microservices: 5 Things I Wish I'd Known - Code Motion Milan 2017
Vincent Kok
Vert.x for Microservices Architecture
Vert.x for Microservices Architecture
Idan Fridman
Istio Playground
Istio Playground
QAware GmbH
Kubernetes security
Kubernetes security
Saiyam Pathak
Security threats with Kubernetes - Igor Khoroshchenko
Security threats with Kubernetes - Igor Khoroshchenko
Kuberton
Sysdig monitor - a brief introduction
Sysdig monitor - a brief introduction
Daniel Kerwin
Criteo meetup - S.R.E Tech Talk
Criteo meetup - S.R.E Tech Talk
Pierre Mavro
2018년 3월 정기 세미나 - March 2018 Ops Meetup 후기
2018년 3월 정기 세미나 - March 2018 Ops Meetup 후기
OpenStack Korea Community
The Sysdig Secure DevOps Platform
The Sysdig Secure DevOps Platform
Ashnikbiz
BRISK_Network_Pentest_
BRISK_Network_Pentest_
BriskInfosec Solutions
Load Balancing in the Cloud using Nginx & Kubernetes
Load Balancing in the Cloud using Nginx & Kubernetes
Lee Calcote
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Michael Man
The top 5 Kubernetes metrics to monitor
The top 5 Kubernetes metrics to monitor
Sysdig
HashiTLS Demystifying Security Certs
HashiTLS Demystifying Security Certs
Mitchell Pronschinske
Microservices with Netflix OSS & Spring Cloud - Arnaud Cogoluègnes
Microservices with Netflix OSS & Spring Cloud - Arnaud Cogoluègnes
distributed matters
ZooKeeper - wait free protocol for coordinating processes
ZooKeeper - wait free protocol for coordinating processes
Julia Proskurnia
How to Monitor Microservices
How to Monitor Microservices
Sysdig
What's hot
(20)
Jörg Schad - NO ONE PUTS Java IN THE CONTAINER - Codemotion Milan 2017
Jörg Schad - NO ONE PUTS Java IN THE CONTAINER - Codemotion Milan 2017
What Prometheus means for monitoring vendors
What Prometheus means for monitoring vendors
Jacopo Nardiello - Monitoring Cloud-Native applications with Prometheus - Cod...
Jacopo Nardiello - Monitoring Cloud-Native applications with Prometheus - Cod...
Microservices: 5 Things I Wish I'd Known - Code Motion Milan 2017
Microservices: 5 Things I Wish I'd Known - Code Motion Milan 2017
Vert.x for Microservices Architecture
Vert.x for Microservices Architecture
Istio Playground
Istio Playground
Kubernetes security
Kubernetes security
Security threats with Kubernetes - Igor Khoroshchenko
Security threats with Kubernetes - Igor Khoroshchenko
Sysdig monitor - a brief introduction
Sysdig monitor - a brief introduction
Criteo meetup - S.R.E Tech Talk
Criteo meetup - S.R.E Tech Talk
2018년 3월 정기 세미나 - March 2018 Ops Meetup 후기
2018년 3월 정기 세미나 - March 2018 Ops Meetup 후기
The Sysdig Secure DevOps Platform
The Sysdig Secure DevOps Platform
BRISK_Network_Pentest_
BRISK_Network_Pentest_
Load Balancing in the Cloud using Nginx & Kubernetes
Load Balancing in the Cloud using Nginx & Kubernetes
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
The top 5 Kubernetes metrics to monitor
The top 5 Kubernetes metrics to monitor
HashiTLS Demystifying Security Certs
HashiTLS Demystifying Security Certs
Microservices with Netflix OSS & Spring Cloud - Arnaud Cogoluègnes
Microservices with Netflix OSS & Spring Cloud - Arnaud Cogoluègnes
ZooKeeper - wait free protocol for coordinating processes
ZooKeeper - wait free protocol for coordinating processes
How to Monitor Microservices
How to Monitor Microservices
Similar to London Hug 20/6 - Vault production
Containerizing your Security Operations Center
Containerizing your Security Operations Center
Jimmy Mesta
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software
OWASP
murakumo Cloud Controller
murakumo Cloud Controller
Shingo Kawano
Microservices Server - MSS Workshop
Microservices Server - MSS Workshop
WSO2
Workshop MSF4J - Getting Started with Microservices and Java
Workshop MSF4J - Getting Started with Microservices and Java
Edgar Silva
Node.js primer for ITE students
Node.js primer for ITE students
Quhan Arunasalam
Developer Experience at the Guardian, Equal Experts Sept 2021
Developer Experience at the Guardian, Equal Experts Sept 2021
Akash Askoolum
OSGi Enterprise R6 specs are out! - David Bosschaert & Carsten Ziegeler
OSGi Enterprise R6 specs are out! - David Bosschaert & Carsten Ziegeler
mfrancis
SREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
HostedGraphite
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3
Velocidex Enterprises
Deployment automation
Deployment automation
Riccardo Lemmi
Introducing Gridiron Security and Compliance Management Platform and Enclave ...
Introducing Gridiron Security and Compliance Management Platform and Enclave ...
Aptible
WordPressCafe - Deploying WordPress using Kontena
WordPressCafe - Deploying WordPress using Kontena
Kontena, Inc.
The Developer Friendly Container & Micro Services Platform
The Developer Friendly Container & Micro Services Platform
Exove
Pipelining DevOps with Jenkins and AWS
Pipelining DevOps with Jenkins and AWS
Jimmy Ray
PVS-Studio in the Clouds: Travis CI
PVS-Studio in the Clouds: Travis CI
Andrey Karpov
(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...
(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...
Amazon Web Services
Scaling on EC2 in a fast-paced environment (LISA'11 - Full Paper)
Scaling on EC2 in a fast-paced environment (LISA'11 - Full Paper)
Nicolas Brousse
Kubernetes or OpenShift - choosing your container platform for Dev and Ops
Kubernetes or OpenShift - choosing your container platform for Dev and Ops
Tomasz Cholewa
Docker Internet Money Gateway
Docker Internet Money Gateway
Mathieu Buffenoir
Similar to London Hug 20/6 - Vault production
(20)
Containerizing your Security Operations Center
Containerizing your Security Operations Center
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software
murakumo Cloud Controller
murakumo Cloud Controller
Microservices Server - MSS Workshop
Microservices Server - MSS Workshop
Workshop MSF4J - Getting Started with Microservices and Java
Workshop MSF4J - Getting Started with Microservices and Java
Node.js primer for ITE students
Node.js primer for ITE students
Developer Experience at the Guardian, Equal Experts Sept 2021
Developer Experience at the Guardian, Equal Experts Sept 2021
OSGi Enterprise R6 specs are out! - David Bosschaert & Carsten Ziegeler
OSGi Enterprise R6 specs are out! - David Bosschaert & Carsten Ziegeler
SREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3
Deployment automation
Deployment automation
Introducing Gridiron Security and Compliance Management Platform and Enclave ...
Introducing Gridiron Security and Compliance Management Platform and Enclave ...
WordPressCafe - Deploying WordPress using Kontena
WordPressCafe - Deploying WordPress using Kontena
The Developer Friendly Container & Micro Services Platform
The Developer Friendly Container & Micro Services Platform
Pipelining DevOps with Jenkins and AWS
Pipelining DevOps with Jenkins and AWS
PVS-Studio in the Clouds: Travis CI
PVS-Studio in the Clouds: Travis CI
(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...
(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...
Scaling on EC2 in a fast-paced environment (LISA'11 - Full Paper)
Scaling on EC2 in a fast-paced environment (LISA'11 - Full Paper)
Kubernetes or OpenShift - choosing your container platform for Dev and Ops
Kubernetes or OpenShift - choosing your container platform for Dev and Ops
Docker Internet Money Gateway
Docker Internet Money Gateway
More from London HashiCorp User Group
London HUG 15/8/17 - Elseviers World using Nomad
London HUG 15/8/17 - Elseviers World using Nomad
London HashiCorp User Group
London HUG 15/8/17 - Lifeguard
London HUG 15/8/17 - Lifeguard
London HashiCorp User Group
London HUG 12/4
London HUG 12/4
London HashiCorp User Group
London HUG 14/3
London HUG 14/3
London HashiCorp User Group
London Hug 19/5 - Terraform in Production
London Hug 19/5 - Terraform in Production
London HashiCorp User Group
London HUG 14/4 - Infratructure mgmt
London HUG 14/4 - Infratructure mgmt
London HashiCorp User Group
London HUG 14/4 - Deploying and Discovering at Scale with Consul and Nomad
London HUG 14/4 - Deploying and Discovering at Scale with Consul and Nomad
London HashiCorp User Group
London HUG 8/3 - Nomad
London HUG 8/3 - Nomad
London HashiCorp User Group
London HUG 8/3 - Developing a (VCD) Terraform Provider
London HUG 8/3 - Developing a (VCD) Terraform Provider
London HashiCorp User Group
London HUG 8/3 - JustEat - Andrew Brown / Alberto Blanco
London HUG 8/3 - JustEat - Andrew Brown / Alberto Blanco
London HashiCorp User Group
More from London HashiCorp User Group
(10)
London HUG 15/8/17 - Elseviers World using Nomad
London HUG 15/8/17 - Elseviers World using Nomad
London HUG 15/8/17 - Lifeguard
London HUG 15/8/17 - Lifeguard
London HUG 12/4
London HUG 12/4
London HUG 14/3
London HUG 14/3
London Hug 19/5 - Terraform in Production
London Hug 19/5 - Terraform in Production
London HUG 14/4 - Infratructure mgmt
London HUG 14/4 - Infratructure mgmt
London HUG 14/4 - Deploying and Discovering at Scale with Consul and Nomad
London HUG 14/4 - Deploying and Discovering at Scale with Consul and Nomad
London HUG 8/3 - Nomad
London HUG 8/3 - Nomad
London HUG 8/3 - Developing a (VCD) Terraform Provider
London HUG 8/3 - Developing a (VCD) Terraform Provider
London HUG 8/3 - JustEat - Andrew Brown / Alberto Blanco
London HUG 8/3 - JustEat - Andrew Brown / Alberto Blanco
Recently uploaded
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
BookNet Canada
How to write a Business Continuity Plan
How to write a Business Continuity Plan
Databarracks
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Pim van der Noll
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
Curtis Poe
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
Alan Dix
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
panagenda
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
Knoldus Inc.
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
MounikaPolabathina
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
Raghuram Pandurangan
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
Mydbops
A Framework for Development in the AI Age
A Framework for Development in the AI Age
Cprime
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
panagenda
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
Rick Flair
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
IES VE
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
Ravi Sanghani
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Scott Andery
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
Nicole Novielli
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
LoriGlavin3
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
UiPathCommunity
Recently uploaded
(20)
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
How to write a Business Continuity Plan
How to write a Business Continuity Plan
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
A Framework for Development in the AI Age
A Framework for Development in the AI Age
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
London Hug 20/6 - Vault production
1.
Vault in Production
at Apptio Lee Briggs Snr Infrastructure Engineer
2.
© 2016 Apptio,
All rights reserved (v2.5)2 $(whoami) Based in London Work for Apptio Github: https://github.com/jaxxstorm Twitter: https://twitter.com/briggsl Blog: https://www.leebriggs.co.uk
3.
Apptio Infrastructure
4.
© 2016 Apptio,
All rights reserved (v2.5)4 Some Apptio numbers Almost 6000 unique ”vms” 15 global ”datacenters” Physical and AWS VPCs Hundreds of MySQL databases Over 3.5 petabytes of raw storage Over 178Tb of memory Over 170,000 CPU cores
5.
“The (initial) problem” How
do we provide audited access to lots of MySQL instances?
6.
© 2016 Apptio,
All rights reserved (v2.5)6 Vault Vault provides: Audit logging MySQL Credential management High availability A secure way to store credentials
7.
© 2016 Apptio,
All rights reserved (v2.5)7 Vault What we needed to figure out How to deploy vault in 15 datacenters Automated, easily configurable How to connect several hundred databases to those vaults High availability Sane backups Make it easier than passing around passwords or looking in app config files
8.
The journey
9.
© 2016 Apptio,
All rights reserved (v2.5)9 Step 1: Deploy Vault We already had consul in all DCs Spread across racks in DC Across AZs in AWS Is connected using WAN federation We use Puppet for configuration management The puppet module takes care of download/install Connect to consul – HA backend This also provides us with TLS We deployed vault onto all consulservers
10.
© 2016 Apptio,
All rights reserved (v2.5)10 Step 2: Initialise Vault Automating this isn’t trivial Plaintext keys are bad By default, vault outputs plaintext unseal keys Solution: Use the GPG support We already used GPG to store encrypted files in git Using puppet + eyaml Also using git-crypt This way, the keys are protected by the each user’s GPG private key We used the API to init vault in each DC We provide 7 GPG keys, and need 3 users to unseal a vault
11.
© 2016 Apptio,
All rights reserved (v2.5)11 Step 3: Unseal the Vault At this stage, we have around 60 instances of vault to unseal.. Doing this “manually” is obviously not tenable Automating this is dangerous..
12.
© 2016 Apptio,
All rights reserved (v2.5)12 Unseal https://github.com/jaxxstorm/unseal Add your vaults servers to a config file Add your encrypted unseal key You can also put the plaintext key, but don’t! Prompts for your GPG keyring password If you’re running GPG agent, this is a security risk.. Unseals all vaults Each unseal command runs in a goroutine Can send unseal command to 75 vaults in around 15s!
13.
Unseal Demo
14.
© 2016 Apptio,
All rights reserved (v2.5)14 Step 4: Configure the vault We need to now add some configuration for all DCs Answers https://github.com/UKHomeOffice/vaultctl https://www.hashicorp.com/blog/codifying-vault-policies-and-configuration/ Allows you to define the vault config in yaml Can then run vaultctl to configure your vault server as you require Enable LDAP with config Enable audit logging Enable MySQL backend We run this in a loop for all DCs Only need to hit a single vault server in each DC
15.
© 2016 Apptio,
All rights reserved (v2.5)15 Step 5: Add MySQL configuration We provision VMs using internal tool “selfserve” When VM is provisioned for DB Puppet runs, installs mysql Puppet adds a “vault” user with grants We then add roles to each DB config – readonly and full Selfserve makes an API call to that regions vault, adding it as a backend Selfserve has its own token which has write permissions to the mysql backend using policy We mount all databases with path mysql/<hostname>
16.
© 2016 Apptio,
All rights reserved (v2.5)16 Step 6: Make logins easy Configure ldap auth with policies for customers mapped to LDAP groups Some people can get write access, some only get read access However, authing with ldap and then having to do vault write was difficult for users to remember Have to vault auth Then vault read <creds> Having to look this up when on-call isn’t fun if you don’t do it regularly
17.
© 2016 Apptio,
All rights reserved (v2.5)17 Breakglass A simple golang command line tool to automate the login process Prompts for your AD password, and you specify the mysql host you need It finds the correct vault endpoint using DNS forwarding, and then automatically drops you into a mysql shell Inspired by vault ssh It’s not currently open source, but hoping to have that done by end of Q3.
18.
Breakglass Demo
19.
More Considerations
20.
© 2016 Apptio,
All rights reserved (v2.5)20 ACLs If you’re using consul as your backend turn on ACLS! You should also block access to port 8500/8501 where possible Consul can be used extensively to pivot to RCE: http://www.kernelpicnic.net/2017/05/29/Pivoting-from-blind-SSRF-to-RCE-with- Hashicorp-Consul.html If you store your secrets in consul, don’t let someone delete them By default, the consul web api allows access to delete and modify any key This requires an investment in implementing tokens You can use vault to manage these!
21.
© 2016 Apptio,
All rights reserved (v2.5)21 Backups When we init vault, we use the key prefix “vault/$datacenter” Our DC’s are completely distinct, we never share secrets between DCs We use consul snapshot to take backups Take them once per hour We copy them to another DC We test restores weekly Start vault on a difference port Connect it to the existing consul with the “vault/$datacenter” prefix All done via ansible Have users unseal – users run when they come online Verify integrity Shutdown
22.
© 2016 Apptio,
All rights reserved (v2.5)22 Lessons Learned Pick 1 thing and “vault it” Trying to secure all your secrets in vault straight away can be overwhelming We now store the majority of our secrets in vault after lessons learned from MySQL Have a good story for configuration, backups and unsealing Consul + Vault has a great HA story As long as you use consul’s service discovery of course “Automated” secret management has trade-offs Be aware of them Abstract away the user pain where possible Golang is great for cmdline tools! These packages use viper + cobra https://github.com/spf13/cobra
23.
THANK YOU
Download now