Automatically unseal Vault clusters as a Keybase team. We want to automate the unseal of our on-premise Vault clusters. How can we securely distribute Shamir unseal keys to the team so we can unseal our Vault when we are on-call? How did we initialize our production system in a such way that 2 out 4 people are needed to "unseal the Vault"?
We are using Keybase.io, and automated Vault on Consul cluster, with an Ansible/Vagrant environment to teach and practice.
- Vagrant (tested on Mac)
- Consul OSS
- Vault OSS
- Keybase (vault operator init, vault unseal, KBFS)
- Ansible (Brian Shumate's roles, custom roles)
- Packer (hardened Centos 7)
@bbaassssiiee
https://github.com/dockpack/keybase_unseal
https://github.com/dockpack/vault_dojo
3.
Purpose
1. Automate provisioning Vault on Consul cluster
2. Securely store the keys to the Vault kingdom
3. Enable team to unseal automatically
@bbaassssiiee 3
4.
Structure of this presentation
• Vault setup background info
• Start Vault, Initialize, Unseal
• Use the CLI, UI manually
• Automate and/or Secure?
• A Dilemma?
• Open Source Reference Project
@bbaassssiiee 4
30. Keybase
@bbaassssiiee
• Every account has a public history
• Keybase Team Trust
• User-Friendly PGP Encryption
• Encrypted File System KBFS
• Keybase Command Line
Keybase is secure messaging and file-sharing.
30
31. @bbaassssiiee
Ansible
ansible-galaxy install -r requirements.yml
---
- src: brianshumate.consul
- src: brianshumate.vault
- src: leonallen22.ansible_role_keybase
- src: dockpack.keybase_unseal
• There is a lot of yaml in the galaxy
• Automation after vault operator init
• Automation before vault install
31
32. @bbaassssiiee
Ansible
ansible-vault encrypt /keybase/team/$KEYBASE_TEAM/vault.json
export ANSIBLE_VAULT_PASSWORD_FILE=/keybase/team/$KEYBASE_TEAM/vault.pass
Note: Keybase has a safe place for the ansible-vault password file:
ansible-vault AES encrypted config files
Transparant use in automation
# This is the path where the encrypted JSON is shared.
vault_credentials: "/keybase/team/{{ keybase_team }}/vault.json"
include_vars: "{{ vault_credentials }}"
32
34. Keybase Auto Unseal
1.create accounts
2.create team
3.create sub-team for admins
4.add members
5.create vault.pass on KBFS
6.use role in playbook
github.com/dockpack/keybase_unseal
@bbaassssiiee 34