SlideShare une entreprise Scribd logo

Keybase Vault Auto-Unseal HashiTalks2020

Bas Meijer
Bas Meijer

Automatically unseal Vault clusters as a Keybase team. We want to automate the unseal of our on-premise Vault clusters. How can we securely distribute Shamir unseal keys to the team so we can unseal our Vault when we are on-call? How did we initialize our production system in a such way that 2 out 4 people are needed to "unseal the Vault"? We are using Keybase.io, and automated Vault on Consul cluster, with an Ansible/Vagrant environment to teach and practice. - Vagrant (tested on Mac) - Consul OSS - Vault OSS - Keybase (vault operator init, vault unseal, KBFS) - Ansible (Brian Shumate's roles, custom roles) - Packer (hardened Centos 7) @bbaassssiiee https://github.com/dockpack/keybase_unseal https://github.com/dockpack/vault_dojo

Technologie
1  sur  41
Télécharger pour lire hors ligne
 Bas Meijer Software Engineer/DevOps Coach HUG Amsterdam Co-Organizer Ansible Ambassador @bbaassssiiee 08:00 - 08:30 GMT  Friday, February 21 HashiTalks 2020 Friday, February 21 08:00 - 08:30 GMT
 @bbaassssiiee Keybase Auto Unseal - Bas Meijer HashiTalks 2020
 Purpose 1. Automate provisioning Vault on Consul cluster 2. Securely store the keys to the Vault kingdom 3. Enable team to unseal automatically @bbaassssiiee 3
 Structure of this presentation • Vault setup background info • Start Vault, Initialize, Unseal • Use the CLI, UI manually • Automate and/or Secure? • A Dilemma? • Open Source Reference Project @bbaassssiiee 4
Copyright © 2019 HashiCorp Starting the Vault Server Write a server configuration file Start the server: vault server -config=<config_file_path> Initialize the server (generate the unseal keys & an initial token) Unseal the Vault server Log in 5
Copyright © 2019 HashiCorp ▪ Initialization is the process of configuring the Vault: ‣ Encryption key gets generated ‣ Unseal keys are created ‣ Initial root token is setup Vault Server Initialization 6
Copyright © 2019 HashiCorp ▪ When a Vault server is started, it starts in sealed - doesn't know how to decrypt the data ▪ Unsealing is the process of constructing the master key necessary to read the decryption key to decrypt data ▪ Why? ‣ The data stored by Vault is encrypted with encryption key ‣ The encryption key is encrypted with master key ‣ The master key is NOT stored anywhere Seal / Unseal 17 7 When a Vault server is started, it starts in sealed mode - it doesn't know how to decrypt the data
Copyright © 2019 HashiCorp Shamir's Secret Sharing 12 Master Key Encryption Key Protected by a master key Key Shares (Unseal keys) Bob James Jennifer Pam Tom A threshold of unseal keys are required to unseal Vault so that the key to the kingdom won't fall into one person's hand! Stephan Kitty Rudolf Lars Marjan [*] 8
Copyright © 2019 HashiCorp 15 Initialize a Vault Server via CLI $ vault operator init Unseal Key 1: oL8fJP4KreJPbZWIgui340j5bNclip9zGVcYIzElsoF1 Unseal Key 2: Ke9VZlGzuVaf4HJB8c9KQR2j8rFTBALV1fD3hjE5pHoY Unseal Key 3: 4X6Ja/RpMwNabYzklZKxxXVznLQFGgSiVW7Wx8LWOkQn Unseal Key 4: dhI04g8dIQSXI11BIC6Gtwy/QaJWhVYoFYwKF9UI6axO Unseal Key 5: IQ2Ls630Sjd/oEQyTmwwpuFEUTiJP4FX2UI3uZMZoa+x Initial Root Token: s.arHAbYvyeZQH8StLc5OHtbt4 Vault initialized with 5 keys and a key threshold of 3. Please securely distribute the above keys. When the Vault is re-sealed, restarted, or stopped, you must provide at least 3 of these keys to unseal it again. ... Terminal 9
Copyright © 2019 HashiCorp Initializing Vault (1 of 2) 22 10
Copyright © 2019 HashiCorp Initializing Vault (2 of 2) 23 11
Copyright © 2019 HashiCorp Initializing Vault via UI (2 of 2) 14 12
 --- - name: initialize Hashicorp Vault delegate_to: "{{ groups.vault_instances[0] }}" run_once: true when: vault_status == '501' no_log: true environment: VAULT_ADDR: "https://{{ groups.vault_instances[0] }}:{{ vault_port }}" VAULT_CACERT: "{{ vault_tls_config_path }}/{{ vault_tls_ca_file }}" command: | vault operator init -key-shares={{ key_shares }} -key-threshold={{ key_threshold }} -format=json register: inited tags: - init ... teamshare.yml Initializing Vault via Ansible @bbaassssiiee 13
Copyright © 2019 HashiCorp Starting the Vault Server Write a server configuration file Start the server: vault server -config=<config_file_path> Initialize the server (generate the unseal keys & an initial token) Unseal the Vault server Log in 14
Copyright © 2019 HashiCorp Unsealing Vault 24 15
Copyright © 2019 HashiCorp 19 Unsealing via CLI (1 of 3) $ vault operator unseal Unseal Key (will be hidden): Key Value --- ----- Seal Type shamir Initialized true Sealed true Total Shares 5 Threshold 3 Unseal Progress 1/3 Unseal Nonce 3c0b2c85-6d22-54e4-87ce-249061dd9d1c Version 1.1.0 HA Enabled false Terminal 16
Copyright © 2019 HashiCorp 20 Unsealing via CLI (2 of 3) $ vault operator unseal Unseal Key (will be hidden): Key Value --- ----- Seal Type shamir Initialized true Sealed true Total Shares 5 Threshold 3 Unseal Progress 2/3 Unseal Nonce 3c0b2c85-6d22-54e4-87ce-249061dd9d1c Version 1.1.0 HA Enabled false Terminal 17
Copyright © 2019 HashiCorp 21 Unsealing via CLI (3 of 3) $ vault operator unseal Unseal Key (will be hidden): Key Value --- ----- Seal Type shamir Initialized true Sealed false Total Shares 5 Threshold 3 Version 1.1.0 Cluster Name vault-cluster-ad3f168d Cluster ID 9fcbb3bc-6d9b-98f5-3f2e-a0cf1040a260 HA Enabled false Terminal 18
Copyright © 2019 HashiCorp 21 Unsealing via CLI (3 of 3) $ vault operator unseal Unseal Key (will be hidden): Key Value --- ----- Seal Type shamir Initialized true Sealed false Total Shares 5 Threshold 3 Version 1.1.0 Cluster Name vault-cluster-ad3f168d Cluster ID 9fcbb3bc-6d9b-98f5-3f2e-a0cf1040a260 HA Enabled false Terminal Automate Unsealing with Ansible --- # teamshare - name: 'unseal Hashicorp Vault with teamshare unseal' when: vault_status == '503' and not shamir environment: VAULT_ADDR: "https://{{ groups.vault_instances[0] }}:{{ vault_port }}" VAULT_CACERT: "{{ vault_tls_config_path }}/{{ vault_tls_ca_file }}" command: "vault operator unseal {{ item }}" with_items: "{{ unseal_keys_hex }}" no_log: true tags: - unseal @bbaassssiiee19 Ansible Tip: Use this action attribute to avoid leaking sensitive information into syslog. no_log: true
Copyright © 2019 HashiCorp Starting the Vault Server Write a server configuration file Start the server: vault server -config=<config_file_path> Initialize the server (generate the unseal keys & an initial token) Unseal the Vault server Log in 20
Copyright © 2019 HashiCorp Vault Server Setup Workflow Recap Write a server configuration file Start the server: vault server -config=<config_file_path> Initialize the server (generate the unseal keys & an initial token) Unseal the Vault server Log in Initial Setup Only the the Vault server was restarted, or sealed intentionally Only when the Vault server was restarted, or sealed intentionally 21
Copyright © 2019 HashiCorp Challenge 4 Unsealing process requires a threshold of unseal keys No single person holds the key to the Vault kingdom! Unsealing is a manual process and become painful when you have multiple Vault clusters 22
Copyright © 2017 HashiCorp Auto-Unseal Vault Cloud based key Master key Encryption key ▪ Instead of using shared keys based on Shamir's Secret Sharing algorithm, use the trusted cloud-based encryption key to protect the master key ▪ Supported cloud services today: ‣ AliCloud KMS ‣ AWS KMS ‣ Azure Key Vault ‣ GCP Cloud KMS ▪ Use Transit secrets engine Shared keys Master key Encryption key 23
Copyright © 2019 HashiCorp ▪ Vault Enterprise integrates with HSM to take advantage of HSMs to provide three pieces of special functionality: ‣ Master Key Wrapping: Vault protects its master key by transiting it through the HSM for encryption rather than splitting into key shares ‣ Auto Unsealing: Vault stores its HSM-wrapped master key in storage, allowing for automatic unsealing ‣ Seal Wrapping to provide FIPS KeyStorage-conforming functionality for Critical Security Parameters HSM Support 16 24
Copyright © 2019 HashiCorp ▪ Protect encryption key with master key ▪ HSM encryption key protects master key in place of Shamir's Secret Sharing ▪ Communication with HSM via PKCS #11 API to decrypt the master key Master Key Wrapping and Auto-unseal 17 HSM key Master keys Encrypted keys PKCS11 25 PKCS#11
 Constraints 1. On-Premise Infrastructure 2. Independent from Cloud platform 3. Redundancy & Flexibility 4. Open Source/Free @bbaassssiiee 26
 Searching the internet... @bbaassssiiee 27
 @bbaassssiiee Integration ★ 6.4k ★ 41.7k ★ 9.8k ★ 19.5k ★ 18.5k★ 15k 28
@bbaassssiiee VagrantPacker Consul Vault dockpack/centos7 Image Dev Environment Clustered Storage Secrets Management 29
Keybase @bbaassssiiee • Every account has a public history • Keybase Team Trust • User-Friendly PGP Encryption • Encrypted File System KBFS • Keybase Command Line Keybase is secure messaging and file-sharing. 30
@bbaassssiiee Ansible ansible-galaxy install -r requirements.yml --- - src: brianshumate.consul - src: brianshumate.vault
 - src: leonallen22.ansible_role_keybase
 - src: dockpack.keybase_unseal • There is a lot of yaml in the galaxy • Automation after vault operator init • Automation before vault install 31
@bbaassssiiee Ansible ansible-vault encrypt /keybase/team/$KEYBASE_TEAM/vault.json export ANSIBLE_VAULT_PASSWORD_FILE=/keybase/team/$KEYBASE_TEAM/vault.pass Note: Keybase has a safe place for the ansible-vault password file: ansible-vault AES encrypted config files Transparant use in automation # This is the path where the encrypted JSON is shared. vault_credentials: "/keybase/team/{{ keybase_team }}/vault.json"
 include_vars: "{{ vault_credentials }}" 32
 --- - name: save Vault credentials as pretty JSON delegate_to: localhost run_once: true become: false no_log: true when: vault_status == '501' copy: dest: "{{ vault_credentials }}" content: "{{ inited.stdout|from_json|to_nice_json }}" mode: 0600 register: save_json tags: - init - name: encrypt pretty JSON with ansible-vault delegate_to: localhost run_once: true become: false no_log: true when: vault_status == '501' environment: # yamllint disable-line rule:line-length ANSIBLE_VAULT_PASSWORD_FILE: "{{ lookup('env','ANSIBLE_VAULT_PASSWORD_FILE') }}" command: "ansible-vault encrypt {{ vault_credentials }}" tags: - init ... kbfs.yml Encrypt^2 @bbaassssiiee 33
Keybase Auto Unseal 1.create accounts 2.create team 3.create sub-team for admins 4.add members 5.create vault.pass on KBFS 6.use role in playbook github.com/dockpack/keybase_unseal @bbaassssiiee 34
 Keybase 35
@bbaassssiiee --- shamir: true keybase_team: dockpack.vault kbt: - basmeijer - fbezema - ksatirli - ferhaty export KBT_INDEX=1 export KBT_INDEX=3 export KBT_INDEX=0 export KBT_INDEX=2 Shamir Secrets Keybase Encrypted Each Team Member sets their environment variable Define these groups_vars: 36
 --- - name: initialize Hashicorp Vault delegate_to: "{{ groups.vault_instances[0] }}" run_once: true when: vault_status == '501' no_log: true environment: VAULT_ADDR: "https://{{ groups.vault_instances[0] }}:{{ vault_port }}" VAULT_CACERT: "{{ vault_tls_config_path }}/{{ vault_tls_ca_file }}" command: | vault operator init -key-shares={{ key_shares }} -key-threshold={{ key_threshold }} -format=json -pgp-keys="keybase:{{ kbt[0] }},keybase:{{ kbt[1] }},keybase:{{ kbt[2] }},keybase:{{ kbt[3] }}" register: inited tags: - init ... shamir.yml Initialize Vault with Shamir Secrets Keybase Encrypted @bbaassssiiee 37
 --- # shamir - name: 'set kbt_index from env, rang in array of keybase team list kbt.' when: vault_status == '503' and shamir|bool delegate_to: localhost run_once: true set_fact: kbt_index: "{{ lookup('env','KBT_INDEX') }}" tags: - unseal - shamir ... teamshare unseal @bbaassssiiee Which Encrypted Shamir Unseal Key is mine? 38
 --- - name: 'decrypt unseal key based on kbt_index' when: vault_status == '503' and shamir|bool delegate_to: localhost become: false run_once: true no_log: true shell: | set -o pipefail ; ansible-vault view /keybase/team/{{ keybase_team }}/vault.json | jq -r .unseal_keys_b64[{{ kbt_index }}] | base64 --decode | gpg -d register: unseal_key tags: - unseal - shamir - name: 'unseal Hashicorp Vault with tags=unseal' when: vault_status == '503' and shamir|bool no_log: true environment: VAULT_ADDR: "https://{{ groups.vault_instances[0] }}:{{ vault_port }}" VAULT_CACERT: "{{ vault_tls_config_path }}/{{ vault_tls_ca_file }}" command: "vault operator unseal {{ unseal_key.stdout }}" tags: - unseal - shamir ... shamir unseal Unseal with my Encrypted Shamir Unseal Key @bbaassssiiee 39
? Vault Consul Shamir Keybase PGP KBFS Unseal Key Ansible Packer Vagrant Cloud HSM AWS KMS Azure Key Vault Ansible Vault Keybase Teams Blockchain IAM github.com/dockpack/vault_dojo vimeo.com/391099245 Playbook Role Root Token Unsealing Secure? Encryption learn.hashicorp.com https://github.com/dockpack/keybase_unseal/wiki @bbaassssiiee 40
@bbaassssiiee Demo  41

Recommandé

Ansible at work
Ansible at workAnsible at work
Ansible at workBas Meijer
 
HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩smalltown
 
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...Andrey Devyatkin
 
Nomad + Flatcar: a harmonious marriage of lightweights
Nomad + Flatcar: a harmonious marriage of lightweightsNomad + Flatcar: a harmonious marriage of lightweights
Nomad + Flatcar: a harmonious marriage of lightweightsIago López Galeiras
 
Vault 1.1: Secret Caching with Vault Agent and Other New Features
Vault 1.1: Secret Caching with Vault Agent and Other New FeaturesVault 1.1: Secret Caching with Vault Agent and Other New Features
Vault 1.1: Secret Caching with Vault Agent and Other New FeaturesMitchell Pronschinske
 
Dynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningDynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningSean Chittenden
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultJeff Horwitz
 
HashiCorp's Vault - The Examples
HashiCorp's Vault - The ExamplesHashiCorp's Vault - The Examples
HashiCorp's Vault - The ExamplesMichał Czeraszkiewicz
 

Recommandé

Ansible at work
Ansible at workAnsible at work
Ansible at workBas Meijer
 
HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩smalltown
 
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...Andrey Devyatkin
 
Nomad + Flatcar: a harmonious marriage of lightweights
Nomad + Flatcar: a harmonious marriage of lightweightsNomad + Flatcar: a harmonious marriage of lightweights
Nomad + Flatcar: a harmonious marriage of lightweightsIago López Galeiras
 
Vault 1.1: Secret Caching with Vault Agent and Other New Features
Vault 1.1: Secret Caching with Vault Agent and Other New FeaturesVault 1.1: Secret Caching with Vault Agent and Other New Features
Vault 1.1: Secret Caching with Vault Agent and Other New FeaturesMitchell Pronschinske
 
Dynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningDynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningSean Chittenden
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultJeff Horwitz
 
HashiCorp's Vault - The Examples
HashiCorp's Vault - The ExamplesHashiCorp's Vault - The Examples
HashiCorp's Vault - The ExamplesMichał Czeraszkiewicz
 
Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultAWS Germany
 
Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key ManagementAnthony Ikeda
 
A Hands-on Introduction on Terraform Best Concepts and Best Practices
A Hands-on Introduction on Terraform Best Concepts and Best Practices A Hands-on Introduction on Terraform Best Concepts and Best Practices
A Hands-on Introduction on Terraform Best Concepts and Best Practices Nebulaworks
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsDerek Downey
 
HashiCorp Vault Plugin Infrastructure
HashiCorp Vault Plugin InfrastructureHashiCorp Vault Plugin Infrastructure
HashiCorp Vault Plugin InfrastructureNicolas Corrarello
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault pptShrey Agarwal
 
Terraform - Taming Modern Clouds
Terraform - Taming Modern CloudsTerraform - Taming Modern Clouds
Terraform - Taming Modern CloudsNic Jackson
 
Unity Makes Strength
Unity Makes StrengthUnity Makes Strength
Unity Makes StrengthXavier Mertens
 
Containment without Containers: Running Windows Microservices on Nomad
Containment without Containers: Running Windows Microservices on NomadContainment without Containers: Running Windows Microservices on Nomad
Containment without Containers: Running Windows Microservices on NomadJusten Walker
 
Terraform in deployment pipeline
Terraform in deployment pipelineTerraform in deployment pipeline
Terraform in deployment pipelineAnton Babenko
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePassWill Schroeder
 
Autoscaling with hashi_corp_nomad
Autoscaling with hashi_corp_nomadAutoscaling with hashi_corp_nomad
Autoscaling with hashi_corp_nomadBram Vogelaar
 
AWS DevOps - Terraform, Docker, HashiCorp Vault
AWS DevOps - Terraform, Docker, HashiCorp VaultAWS DevOps - Terraform, Docker, HashiCorp Vault
AWS DevOps - Terraform, Docker, HashiCorp VaultGrzegorz Adamowicz
 
Designing High Availability for HashiCorp Vault in AWS
Designing High Availability for HashiCorp Vault in AWSDesigning High Availability for HashiCorp Vault in AWS
Designing High Availability for HashiCorp Vault in AWS☁ Bryan Krausen
 
Introducing Vault
Introducing VaultIntroducing Vault
Introducing VaultRamit Surana
 
Hashiconf EU 2019 - A Tour of Terraform 0.12
Hashiconf EU 2019 - A Tour of Terraform 0.12Hashiconf EU 2019 - A Tour of Terraform 0.12
Hashiconf EU 2019 - A Tour of Terraform 0.12Mitchell Pronschinske
 
How to Use HashiCorp Vault with Hiera 5 for Secret Management With Puppet
How to Use HashiCorp Vault with Hiera 5 for Secret Management With PuppetHow to Use HashiCorp Vault with Hiera 5 for Secret Management With Puppet
How to Use HashiCorp Vault with Hiera 5 for Secret Management With PuppetAmanda MacLeod
 
Agent Side Lookups with HashiCorp Vault and Puppet 6
Agent Side Lookups with HashiCorp Vault and Puppet 6Agent Side Lookups with HashiCorp Vault and Puppet 6
Agent Side Lookups with HashiCorp Vault and Puppet 6Mitchell Pronschinske
 
Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsWill Schroeder
 
An intro to Docker, Terraform, and Amazon ECS
An intro to Docker, Terraform, and Amazon ECSAn intro to Docker, Terraform, and Amazon ECS
An intro to Docker, Terraform, and Amazon ECSYevgeniy Brikman
 
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...Stenio Ferreira
 
London Hug 20/6 - Vault production
London Hug 20/6 - Vault productionLondon Hug 20/6 - Vault production
London Hug 20/6 - Vault productionLondon HashiCorp User Group
 

Contenu connexe

Tendances

Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultAWS Germany
 
Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key ManagementAnthony Ikeda
 
A Hands-on Introduction on Terraform Best Concepts and Best Practices
A Hands-on Introduction on Terraform Best Concepts and Best Practices A Hands-on Introduction on Terraform Best Concepts and Best Practices
A Hands-on Introduction on Terraform Best Concepts and Best Practices Nebulaworks
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsDerek Downey
 
HashiCorp Vault Plugin Infrastructure
HashiCorp Vault Plugin InfrastructureHashiCorp Vault Plugin Infrastructure
HashiCorp Vault Plugin InfrastructureNicolas Corrarello
 
Terraform - Taming Modern Clouds
Terraform - Taming Modern CloudsTerraform - Taming Modern Clouds
Terraform - Taming Modern CloudsNic Jackson
 
Containment without Containers: Running Windows Microservices on Nomad
Containment without Containers: Running Windows Microservices on NomadContainment without Containers: Running Windows Microservices on Nomad
Containment without Containers: Running Windows Microservices on NomadJusten Walker
 
Terraform in deployment pipeline
Terraform in deployment pipelineTerraform in deployment pipeline
Terraform in deployment pipelineAnton Babenko
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePassWill Schroeder
 
Autoscaling with hashi_corp_nomad
Autoscaling with hashi_corp_nomadAutoscaling with hashi_corp_nomad
Autoscaling with hashi_corp_nomadBram Vogelaar
 
AWS DevOps - Terraform, Docker, HashiCorp Vault
AWS DevOps - Terraform, Docker, HashiCorp VaultAWS DevOps - Terraform, Docker, HashiCorp Vault
AWS DevOps - Terraform, Docker, HashiCorp VaultGrzegorz Adamowicz
 
Designing High Availability for HashiCorp Vault in AWS
Designing High Availability for HashiCorp Vault in AWSDesigning High Availability for HashiCorp Vault in AWS
Designing High Availability for HashiCorp Vault in AWS☁ Bryan Krausen
 
Hashiconf EU 2019 - A Tour of Terraform 0.12
Hashiconf EU 2019 - A Tour of Terraform 0.12Hashiconf EU 2019 - A Tour of Terraform 0.12
Hashiconf EU 2019 - A Tour of Terraform 0.12Mitchell Pronschinske
 
How to Use HashiCorp Vault with Hiera 5 for Secret Management With Puppet
How to Use HashiCorp Vault with Hiera 5 for Secret Management With PuppetHow to Use HashiCorp Vault with Hiera 5 for Secret Management With Puppet
How to Use HashiCorp Vault with Hiera 5 for Secret Management With PuppetAmanda MacLeod
 
Agent Side Lookups with HashiCorp Vault and Puppet 6
Agent Side Lookups with HashiCorp Vault and Puppet 6Agent Side Lookups with HashiCorp Vault and Puppet 6
Agent Side Lookups with HashiCorp Vault and Puppet 6Mitchell Pronschinske
 
Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsWill Schroeder
 
An intro to Docker, Terraform, and Amazon ECS
An intro to Docker, Terraform, and Amazon ECSAn intro to Docker, Terraform, and Amazon ECS
An intro to Docker, Terraform, and Amazon ECSYevgeniy Brikman
 

Tendances (20)

Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s Vault
 
Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key Management
 
A Hands-on Introduction on Terraform Best Concepts and Best Practices
A Hands-on Introduction on Terraform Best Concepts and Best Practices A Hands-on Introduction on Terraform Best Concepts and Best Practices
A Hands-on Introduction on Terraform Best Concepts and Best Practices
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL Secrets
 
HashiCorp Vault Plugin Infrastructure
HashiCorp Vault Plugin InfrastructureHashiCorp Vault Plugin Infrastructure
HashiCorp Vault Plugin Infrastructure
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault ppt
 
Terraform - Taming Modern Clouds
Terraform - Taming Modern CloudsTerraform - Taming Modern Clouds
Terraform - Taming Modern Clouds
 
Unity Makes Strength
Unity Makes StrengthUnity Makes Strength
Unity Makes Strength
 
Containment without Containers: Running Windows Microservices on Nomad
Containment without Containers: Running Windows Microservices on NomadContainment without Containers: Running Windows Microservices on Nomad
Containment without Containers: Running Windows Microservices on Nomad
 
Terraform in deployment pipeline
Terraform in deployment pipelineTerraform in deployment pipeline
Terraform in deployment pipeline
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePass
 
Autoscaling with hashi_corp_nomad
Autoscaling with hashi_corp_nomadAutoscaling with hashi_corp_nomad
Autoscaling with hashi_corp_nomad
 
AWS DevOps - Terraform, Docker, HashiCorp Vault
AWS DevOps - Terraform, Docker, HashiCorp VaultAWS DevOps - Terraform, Docker, HashiCorp Vault
AWS DevOps - Terraform, Docker, HashiCorp Vault
 
Designing High Availability for HashiCorp Vault in AWS
Designing High Availability for HashiCorp Vault in AWSDesigning High Availability for HashiCorp Vault in AWS
Designing High Availability for HashiCorp Vault in AWS
 
Introducing Vault
Introducing VaultIntroducing Vault
Introducing Vault
 
Hashiconf EU 2019 - A Tour of Terraform 0.12
Hashiconf EU 2019 - A Tour of Terraform 0.12Hashiconf EU 2019 - A Tour of Terraform 0.12
Hashiconf EU 2019 - A Tour of Terraform 0.12
 
How to Use HashiCorp Vault with Hiera 5 for Secret Management With Puppet
How to Use HashiCorp Vault with Hiera 5 for Secret Management With PuppetHow to Use HashiCorp Vault with Hiera 5 for Secret Management With Puppet
How to Use HashiCorp Vault with Hiera 5 for Secret Management With Puppet
 
Agent Side Lookups with HashiCorp Vault and Puppet 6
Agent Side Lookups with HashiCorp Vault and Puppet 6Agent Side Lookups with HashiCorp Vault and Puppet 6
Agent Side Lookups with HashiCorp Vault and Puppet 6
 
Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerTools
 
An intro to Docker, Terraform, and Amazon ECS
An intro to Docker, Terraform, and Amazon ECSAn intro to Docker, Terraform, and Amazon ECS
An intro to Docker, Terraform, and Amazon ECS
 

Similaire à Keybase Vault Auto-Unseal HashiTalks2020

Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...Stenio Ferreira
 
Hiding secrets in Vault
Hiding secrets in VaultHiding secrets in Vault
Hiding secrets in VaultNeven Rakonić
 
2018 - CertiFUNcation - Helmut Hummel: Hardening TYPO3
2018 - CertiFUNcation - Helmut Hummel: Hardening TYPO32018 - CertiFUNcation - Helmut Hummel: Hardening TYPO3
2018 - CertiFUNcation - Helmut Hummel: Hardening TYPO3TYPO3 CertiFUNcation
 
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Velocidex Enterprises
 
DEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud securityDEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud securityFelipe Prado
 
Delivering Secret Zero: Vault AppRole with Terraform and Chef
Delivering Secret Zero: Vault AppRole with Terraform and ChefDelivering Secret Zero: Vault AppRole with Terraform and Chef
Delivering Secret Zero: Vault AppRole with Terraform and ChefAmanda MacLeod
 
Defcon - Veil-Pillage
Defcon - Veil-PillageDefcon - Veil-Pillage
Defcon - Veil-PillageVeilFramework
 
Injecting Vault Secrets Into Kubernetes Pods via a Sidecar
Injecting Vault Secrets Into Kubernetes Pods via a SidecarInjecting Vault Secrets Into Kubernetes Pods via a Sidecar
Injecting Vault Secrets Into Kubernetes Pods via a SidecarMitchell Pronschinske
 
GDG Cloud Southlake 29 Jimmy Mesta OWASP Top 10 for Kubernetes
GDG Cloud Southlake 29 Jimmy Mesta OWASP Top 10 for KubernetesGDG Cloud Southlake 29 Jimmy Mesta OWASP Top 10 for Kubernetes
GDG Cloud Southlake 29 Jimmy Mesta OWASP Top 10 for KubernetesJames Anderson
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera SoftwareOWASP
 
Apache CloudStack Integration with HashiCorp Vault
Apache CloudStack Integration with HashiCorp VaultApache CloudStack Integration with HashiCorp Vault
Apache CloudStack Integration with HashiCorp VaultCloudOps2005
 
Kubernetes 101 VMworld 2019 workshop slides
Kubernetes 101 VMworld 2019 workshop slidesKubernetes 101 VMworld 2019 workshop slides
Kubernetes 101 VMworld 2019 workshop slidesSimone Morellato
 
Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...
Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...
Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...Tenchi Security
 
Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...
Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...
Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...Alexandre Sieira
 
The Container Security Checklist
The Container Security Checklist The Container Security Checklist
The Container Security Checklist LibbySchulze
 
Production ready kubernetes
Production ready kubernetesProduction ready kubernetes
Production ready kubernetesArnaud MAZIN
 
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key VaultAzure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key VaultTom Kerkhove
 
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being HackedKCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being HackedNico Meisenzahl
 
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...Intelligent Cloud Conference 2018 - Building secure cloud applications with A...
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...Tom Kerkhove
 

Similaire à Keybase Vault Auto-Unseal HashiTalks2020 (20)

Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
 
London Hug 20/6 - Vault production
London Hug 20/6 - Vault productionLondon Hug 20/6 - Vault production
London Hug 20/6 - Vault production
 
Hiding secrets in Vault
Hiding secrets in VaultHiding secrets in Vault
Hiding secrets in Vault
 
2018 - CertiFUNcation - Helmut Hummel: Hardening TYPO3
2018 - CertiFUNcation - Helmut Hummel: Hardening TYPO32018 - CertiFUNcation - Helmut Hummel: Hardening TYPO3
2018 - CertiFUNcation - Helmut Hummel: Hardening TYPO3
 
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3
 
DEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud securityDEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud security
 
Delivering Secret Zero: Vault AppRole with Terraform and Chef
Delivering Secret Zero: Vault AppRole with Terraform and ChefDelivering Secret Zero: Vault AppRole with Terraform and Chef
Delivering Secret Zero: Vault AppRole with Terraform and Chef
 
Defcon - Veil-Pillage
Defcon - Veil-PillageDefcon - Veil-Pillage
Defcon - Veil-Pillage
 
Injecting Vault Secrets Into Kubernetes Pods via a Sidecar
Injecting Vault Secrets Into Kubernetes Pods via a SidecarInjecting Vault Secrets Into Kubernetes Pods via a Sidecar
Injecting Vault Secrets Into Kubernetes Pods via a Sidecar
 
GDG Cloud Southlake 29 Jimmy Mesta OWASP Top 10 for Kubernetes
GDG Cloud Southlake 29 Jimmy Mesta OWASP Top 10 for KubernetesGDG Cloud Southlake 29 Jimmy Mesta OWASP Top 10 for Kubernetes
GDG Cloud Southlake 29 Jimmy Mesta OWASP Top 10 for Kubernetes
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software
 
Apache CloudStack Integration with HashiCorp Vault
Apache CloudStack Integration with HashiCorp VaultApache CloudStack Integration with HashiCorp Vault
Apache CloudStack Integration with HashiCorp Vault
 
Kubernetes 101 VMworld 2019 workshop slides
Kubernetes 101 VMworld 2019 workshop slidesKubernetes 101 VMworld 2019 workshop slides
Kubernetes 101 VMworld 2019 workshop slides
 
Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...
Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...
Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...
 
Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...
Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...
Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...
 
The Container Security Checklist
The Container Security Checklist The Container Security Checklist
The Container Security Checklist
 
Production ready kubernetes
Production ready kubernetesProduction ready kubernetes
Production ready kubernetes
 
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key VaultAzure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
 
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being HackedKCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
 
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...Intelligent Cloud Conference 2018 - Building secure cloud applications with A...
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...
 

Plus de Bas Meijer

Azure VM base images with Packer, Ansble and Vagrant
Azure VM base images with Packer, Ansble and VagrantAzure VM base images with Packer, Ansble and Vagrant
Azure VM base images with Packer, Ansble and VagrantBas Meijer
 
Help! My app is being featured.
Help! My app is being featured.Help! My app is being featured.
Help! My app is being featured.Bas Meijer
 
Testing with Ansible
Testing with AnsibleTesting with Ansible
Testing with AnsibleBas Meijer
 
Ansible, best practices
Ansible, best practicesAnsible, best practices
Ansible, best practicesBas Meijer
 
docker build with Ansible
docker build with Ansibledocker build with Ansible
docker build with AnsibleBas Meijer
 
Fake IT, until you make IT
Fake IT, until you make ITFake IT, until you make IT
Fake IT, until you make ITBas Meijer
 

Plus de Bas Meijer (7)

Packer demo
Packer demoPacker demo
Packer demo
 
Azure VM base images with Packer, Ansble and Vagrant
Azure VM base images with Packer, Ansble and VagrantAzure VM base images with Packer, Ansble and Vagrant
Azure VM base images with Packer, Ansble and Vagrant
 
Help! My app is being featured.
Help! My app is being featured.Help! My app is being featured.
Help! My app is being featured.
 
Testing with Ansible
Testing with AnsibleTesting with Ansible
Testing with Ansible
 
Ansible, best practices
Ansible, best practicesAnsible, best practices
Ansible, best practices
 
docker build with Ansible
docker build with Ansibledocker build with Ansible
docker build with Ansible
 
Fake IT, until you make IT
Fake IT, until you make ITFake IT, until you make IT
Fake IT, until you make IT
 

Dernier

TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 

Dernier (20)

TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 

Keybase Vault Auto-Unseal HashiTalks2020

  • 1.  Bas Meijer Software Engineer/DevOps Coach HUG Amsterdam Co-Organizer Ansible Ambassador @bbaassssiiee 08:00 - 08:30 GMT  Friday, February 21 HashiTalks 2020 Friday, February 21 08:00 - 08:30 GMT
  • 2.  @bbaassssiiee Keybase Auto Unseal - Bas Meijer HashiTalks 2020
  • 3.  Purpose 1. Automate provisioning Vault on Consul cluster 2. Securely store the keys to the Vault kingdom 3. Enable team to unseal automatically @bbaassssiiee 3
  • 4.  Structure of this presentation • Vault setup background info • Start Vault, Initialize, Unseal • Use the CLI, UI manually • Automate and/or Secure? • A Dilemma? • Open Source Reference Project @bbaassssiiee 4
  • 5. Copyright © 2019 HashiCorp Starting the Vault Server Write a server configuration file Start the server: vault server -config=<config_file_path> Initialize the server (generate the unseal keys & an initial token) Unseal the Vault server Log in 5
  • 6. Copyright © 2019 HashiCorp ▪ Initialization is the process of configuring the Vault: ‣ Encryption key gets generated ‣ Unseal keys are created ‣ Initial root token is setup Vault Server Initialization 6
  • 7. Copyright © 2019 HashiCorp ▪ When a Vault server is started, it starts in sealed - doesn't know how to decrypt the data ▪ Unsealing is the process of constructing the master key necessary to read the decryption key to decrypt data ▪ Why? ‣ The data stored by Vault is encrypted with encryption key ‣ The encryption key is encrypted with master key ‣ The master key is NOT stored anywhere Seal / Unseal 17 7 When a Vault server is started, it starts in sealed mode - it doesn't know how to decrypt the data
  • 8. Copyright © 2019 HashiCorp Shamir's Secret Sharing 12 Master Key Encryption Key Protected by a master key Key Shares (Unseal keys) Bob James Jennifer Pam Tom A threshold of unseal keys are required to unseal Vault so that the key to the kingdom won't fall into one person's hand! Stephan Kitty Rudolf Lars Marjan [*] 8
  • 9. Copyright © 2019 HashiCorp 15 Initialize a Vault Server via CLI $ vault operator init Unseal Key 1: oL8fJP4KreJPbZWIgui340j5bNclip9zGVcYIzElsoF1 Unseal Key 2: Ke9VZlGzuVaf4HJB8c9KQR2j8rFTBALV1fD3hjE5pHoY Unseal Key 3: 4X6Ja/RpMwNabYzklZKxxXVznLQFGgSiVW7Wx8LWOkQn Unseal Key 4: dhI04g8dIQSXI11BIC6Gtwy/QaJWhVYoFYwKF9UI6axO Unseal Key 5: IQ2Ls630Sjd/oEQyTmwwpuFEUTiJP4FX2UI3uZMZoa+x Initial Root Token: s.arHAbYvyeZQH8StLc5OHtbt4 Vault initialized with 5 keys and a key threshold of 3. Please securely distribute the above keys. When the Vault is re-sealed, restarted, or stopped, you must provide at least 3 of these keys to unseal it again. ... Terminal 9
  • 10. Copyright © 2019 HashiCorp Initializing Vault (1 of 2) 22 10
  • 11. Copyright © 2019 HashiCorp Initializing Vault (2 of 2) 23 11
  • 12. Copyright © 2019 HashiCorp Initializing Vault via UI (2 of 2) 14 12
  • 13.  --- - name: initialize Hashicorp Vault delegate_to: "{{ groups.vault_instances[0] }}" run_once: true when: vault_status == '501' no_log: true environment: VAULT_ADDR: "https://{{ groups.vault_instances[0] }}:{{ vault_port }}" VAULT_CACERT: "{{ vault_tls_config_path }}/{{ vault_tls_ca_file }}" command: | vault operator init -key-shares={{ key_shares }} -key-threshold={{ key_threshold }} -format=json register: inited tags: - init ... teamshare.yml Initializing Vault via Ansible @bbaassssiiee 13
  • 14. Copyright © 2019 HashiCorp Starting the Vault Server Write a server configuration file Start the server: vault server -config=<config_file_path> Initialize the server (generate the unseal keys & an initial token) Unseal the Vault server Log in 14
  • 15. Copyright © 2019 HashiCorp Unsealing Vault 24 15
  • 16. Copyright © 2019 HashiCorp 19 Unsealing via CLI (1 of 3) $ vault operator unseal Unseal Key (will be hidden): Key Value --- ----- Seal Type shamir Initialized true Sealed true Total Shares 5 Threshold 3 Unseal Progress 1/3 Unseal Nonce 3c0b2c85-6d22-54e4-87ce-249061dd9d1c Version 1.1.0 HA Enabled false Terminal 16
  • 17. Copyright © 2019 HashiCorp 20 Unsealing via CLI (2 of 3) $ vault operator unseal Unseal Key (will be hidden): Key Value --- ----- Seal Type shamir Initialized true Sealed true Total Shares 5 Threshold 3 Unseal Progress 2/3 Unseal Nonce 3c0b2c85-6d22-54e4-87ce-249061dd9d1c Version 1.1.0 HA Enabled false Terminal 17
  • 18. Copyright © 2019 HashiCorp 21 Unsealing via CLI (3 of 3) $ vault operator unseal Unseal Key (will be hidden): Key Value --- ----- Seal Type shamir Initialized true Sealed false Total Shares 5 Threshold 3 Version 1.1.0 Cluster Name vault-cluster-ad3f168d Cluster ID 9fcbb3bc-6d9b-98f5-3f2e-a0cf1040a260 HA Enabled false Terminal 18
  • 19. Copyright © 2019 HashiCorp 21 Unsealing via CLI (3 of 3) $ vault operator unseal Unseal Key (will be hidden): Key Value --- ----- Seal Type shamir Initialized true Sealed false Total Shares 5 Threshold 3 Version 1.1.0 Cluster Name vault-cluster-ad3f168d Cluster ID 9fcbb3bc-6d9b-98f5-3f2e-a0cf1040a260 HA Enabled false Terminal Automate Unsealing with Ansible --- # teamshare - name: 'unseal Hashicorp Vault with teamshare unseal' when: vault_status == '503' and not shamir environment: VAULT_ADDR: "https://{{ groups.vault_instances[0] }}:{{ vault_port }}" VAULT_CACERT: "{{ vault_tls_config_path }}/{{ vault_tls_ca_file }}" command: "vault operator unseal {{ item }}" with_items: "{{ unseal_keys_hex }}" no_log: true tags: - unseal @bbaassssiiee19 Ansible Tip: Use this action attribute to avoid leaking sensitive information into syslog. no_log: true
  • 20. Copyright © 2019 HashiCorp Starting the Vault Server Write a server configuration file Start the server: vault server -config=<config_file_path> Initialize the server (generate the unseal keys & an initial token) Unseal the Vault server Log in 20
  • 21. Copyright © 2019 HashiCorp Vault Server Setup Workflow Recap Write a server configuration file Start the server: vault server -config=<config_file_path> Initialize the server (generate the unseal keys & an initial token) Unseal the Vault server Log in Initial Setup Only the the Vault server was restarted, or sealed intentionally Only when the Vault server was restarted, or sealed intentionally 21
  • 22. Copyright © 2019 HashiCorp Challenge 4 Unsealing process requires a threshold of unseal keys No single person holds the key to the Vault kingdom! Unsealing is a manual process and become painful when you have multiple Vault clusters 22
  • 23. Copyright © 2017 HashiCorp Auto-Unseal Vault Cloud based key Master key Encryption key ▪ Instead of using shared keys based on Shamir's Secret Sharing algorithm, use the trusted cloud-based encryption key to protect the master key ▪ Supported cloud services today: ‣ AliCloud KMS ‣ AWS KMS ‣ Azure Key Vault ‣ GCP Cloud KMS ▪ Use Transit secrets engine Shared keys Master key Encryption key 23
  • 24. Copyright © 2019 HashiCorp ▪ Vault Enterprise integrates with HSM to take advantage of HSMs to provide three pieces of special functionality: ‣ Master Key Wrapping: Vault protects its master key by transiting it through the HSM for encryption rather than splitting into key shares ‣ Auto Unsealing: Vault stores its HSM-wrapped master key in storage, allowing for automatic unsealing ‣ Seal Wrapping to provide FIPS KeyStorage-conforming functionality for Critical Security Parameters HSM Support 16 24
  • 25. Copyright © 2019 HashiCorp ▪ Protect encryption key with master key ▪ HSM encryption key protects master key in place of Shamir's Secret Sharing ▪ Communication with HSM via PKCS #11 API to decrypt the master key Master Key Wrapping and Auto-unseal 17 HSM key Master keys Encrypted keys PKCS11 25 PKCS#11
  • 26.  Constraints 1. On-Premise Infrastructure 2. Independent from Cloud platform 3. Redundancy & Flexibility 4. Open Source/Free @bbaassssiiee 26
  • 28.  @bbaassssiiee Integration ★ 6.4k ★ 41.7k ★ 9.8k ★ 19.5k ★ 18.5k★ 15k 28
  • 29. @bbaassssiiee VagrantPacker Consul Vault dockpack/centos7 Image Dev Environment Clustered Storage Secrets Management 29
  • 30. Keybase @bbaassssiiee • Every account has a public history • Keybase Team Trust • User-Friendly PGP Encryption • Encrypted File System KBFS • Keybase Command Line Keybase is secure messaging and file-sharing. 30
  • 31. @bbaassssiiee Ansible ansible-galaxy install -r requirements.yml --- - src: brianshumate.consul - src: brianshumate.vault
 - src: leonallen22.ansible_role_keybase
 - src: dockpack.keybase_unseal • There is a lot of yaml in the galaxy • Automation after vault operator init • Automation before vault install 31
  • 32. @bbaassssiiee Ansible ansible-vault encrypt /keybase/team/$KEYBASE_TEAM/vault.json export ANSIBLE_VAULT_PASSWORD_FILE=/keybase/team/$KEYBASE_TEAM/vault.pass Note: Keybase has a safe place for the ansible-vault password file: ansible-vault AES encrypted config files Transparant use in automation # This is the path where the encrypted JSON is shared. vault_credentials: "/keybase/team/{{ keybase_team }}/vault.json"
 include_vars: "{{ vault_credentials }}" 32
  • 33.  --- - name: save Vault credentials as pretty JSON delegate_to: localhost run_once: true become: false no_log: true when: vault_status == '501' copy: dest: "{{ vault_credentials }}" content: "{{ inited.stdout|from_json|to_nice_json }}" mode: 0600 register: save_json tags: - init - name: encrypt pretty JSON with ansible-vault delegate_to: localhost run_once: true become: false no_log: true when: vault_status == '501' environment: # yamllint disable-line rule:line-length ANSIBLE_VAULT_PASSWORD_FILE: "{{ lookup('env','ANSIBLE_VAULT_PASSWORD_FILE') }}" command: "ansible-vault encrypt {{ vault_credentials }}" tags: - init ... kbfs.yml Encrypt^2 @bbaassssiiee 33
  • 34. Keybase Auto Unseal 1.create accounts 2.create team 3.create sub-team for admins 4.add members 5.create vault.pass on KBFS 6.use role in playbook github.com/dockpack/keybase_unseal @bbaassssiiee 34
  • 36. @bbaassssiiee --- shamir: true keybase_team: dockpack.vault kbt: - basmeijer - fbezema - ksatirli - ferhaty export KBT_INDEX=1 export KBT_INDEX=3 export KBT_INDEX=0 export KBT_INDEX=2 Shamir Secrets Keybase Encrypted Each Team Member sets their environment variable Define these groups_vars: 36
  • 37.  --- - name: initialize Hashicorp Vault delegate_to: "{{ groups.vault_instances[0] }}" run_once: true when: vault_status == '501' no_log: true environment: VAULT_ADDR: "https://{{ groups.vault_instances[0] }}:{{ vault_port }}" VAULT_CACERT: "{{ vault_tls_config_path }}/{{ vault_tls_ca_file }}" command: | vault operator init -key-shares={{ key_shares }} -key-threshold={{ key_threshold }} -format=json -pgp-keys="keybase:{{ kbt[0] }},keybase:{{ kbt[1] }},keybase:{{ kbt[2] }},keybase:{{ kbt[3] }}" register: inited tags: - init ... shamir.yml Initialize Vault with Shamir Secrets Keybase Encrypted @bbaassssiiee 37
  • 38.  --- # shamir - name: 'set kbt_index from env, rang in array of keybase team list kbt.' when: vault_status == '503' and shamir|bool delegate_to: localhost run_once: true set_fact: kbt_index: "{{ lookup('env','KBT_INDEX') }}" tags: - unseal - shamir ... teamshare unseal @bbaassssiiee Which Encrypted Shamir Unseal Key is mine? 38
  • 39.  --- - name: 'decrypt unseal key based on kbt_index' when: vault_status == '503' and shamir|bool delegate_to: localhost become: false run_once: true no_log: true shell: | set -o pipefail ; ansible-vault view /keybase/team/{{ keybase_team }}/vault.json | jq -r .unseal_keys_b64[{{ kbt_index }}] | base64 --decode | gpg -d register: unseal_key tags: - unseal - shamir - name: 'unseal Hashicorp Vault with tags=unseal' when: vault_status == '503' and shamir|bool no_log: true environment: VAULT_ADDR: "https://{{ groups.vault_instances[0] }}:{{ vault_port }}" VAULT_CACERT: "{{ vault_tls_config_path }}/{{ vault_tls_ca_file }}" command: "vault operator unseal {{ unseal_key.stdout }}" tags: - unseal - shamir ... shamir unseal Unseal with my Encrypted Shamir Unseal Key @bbaassssiiee 39
  • 40. ? Vault Consul Shamir Keybase PGP KBFS Unseal Key Ansible Packer Vagrant Cloud HSM AWS KMS Azure Key Vault Ansible Vault Keybase Teams Blockchain IAM github.com/dockpack/vault_dojo vimeo.com/391099245 Playbook Role Root Token Unsealing Secure? Encryption learn.hashicorp.com https://github.com/dockpack/keybase_unseal/wiki @bbaassssiiee 40