SlideShare a Scribd company logo

Puppet Camp Boston 2014: Securely Managing Secrets with FreeIPA and Puppet (Intermediate)

Puppet
Puppet

The document discusses securely managing secrets with FreeIPA and Puppet. It describes existing solutions like hiera-gpg and hiera-eyaml as not being perfect due to private key management problems and having to trust Puppet too much. The proposed solution generates secrets locally using GPG encryption with a public key and stores them in FreeIPA for access management. The presentation concludes with information on learning more about this technique.

Software
1 of 22
Download to read offline
Securely managing secrets with FreeIPA and Puppet James Shubin, @purpleidea Config Mgmt. Architect Systems Engineering Group, Red Hat Puppet Camp, Boston 2014 1 JAMES SHUBIN
Who am I ? ● Puppet Hacker ● Config Mgmt. Architect @ Red Hat ● Technical Blogger: The Technical Blog of James https://ttboj.wordpress.com/ ● Physiologist (Cardiology Specialization) ● All around hoopy frood... 2 JAMES SHUBIN
3 the status-quo of secret management in puppet is pretty poor... JAMES SHUBIN
Example 1 class { '::foo': password => 'super-secret-thing', bad_idea => true, } 4 JAMES SHUBIN
5 JAMES SHUBIN
Example 2 class { '::foo': hashed => '$1$mF86/UHC$WvcIcX2t6crBz2onW...', bad_idea => true, } 6 JAMES SHUBIN
7 JAMES SHUBIN
Example 3 # secret.yaml --- foo::params::password: 'ohai' foo::params::bad_idea: true 8 JAMES SHUBIN
9 JAMES SHUBIN
there are some solutions which are better than others, but they are still not perfect... 10 JAMES SHUBIN
hiera-gpg ● Cute, but private key management can be a problem... ● Probably a good idea for existing infrastructures, where you have one repo that is widely shared... ● Other issues: http://slashdevslashrandom.wordpress.com/2013/06/0 3/my-griefs-with-hiera-gpg/ ● Code: https://github.com/crayfishx/hiera-gpg 11 JAMES SHUBIN
hiera-eyaml ● Better than hiera-gpg ! ● Still has a private key management problem... ● Comes with nice secret editing tools... ● We still have to trust puppet more than necessary... ● Code: https://github.com/TomPoulton/hiera-eyaml 12 JAMES SHUBIN
blackbox ● Same problems as all the other asymmetric solutions ● Nice documentation ! ● Honest and upfront about the risks... ● Comes with 20% more Limoncelli :) ● Code: https://github.com/StackExchange/blackbox 13 JAMES SHUBIN
14 do I love any of these solutions ? JAMES SHUBIN
NOPE 15 JAMES SHUBIN
My solution... JAMES SHUBIN
Local secret generation ● Good DevOps hackers use/know/love GPG (PGP) ● Tell puppet about your public key ● Locally generate and encrypt secrets with public key ● Optionally mail it out to your admin email address ● Use FreeIPA to build out your security infrastructure 17 JAMES SHUBIN
live demo... JAMES SHUBIN
Red Hat funds good hackers so that we can... ● Work on open source / free software things... ● Speak at events like this... ● Hack on good products and solutions... ● For access to products, solutions, and support, visit: ht tps: / / redhat .com/ 19 JAMES SHUBIN
Learn more ● The Technical Blog of James: https://ttboj.wordpress.com/ ● Puppet-IPA: https://github.com/purpleidea/puppet-ipa ● Technical article about this technique: https://ttboj.wordpress.com/2014/06/06/securely-managing- secrets-for-freeipa-with-puppet/ ● Contact me if you have any other questions: purpleidea @ { irc, twitter, redhat.com } 20 JAMES SHUBIN
Q & A ? JAMES SHUBIN
Thank you & Happy Hacking ! JAMES SHUBIN

Recommended

Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...
Puppet
 
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...
Tom Limoncelli
 
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data ExfiltrationWhat Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
CTruncer
 
Ever Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildEver Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the Wild
CTruncer
 
Volley Android
Volley AndroidVolley Android
Volley Android
zezzi Castillo
 
Porting your favourite cmdline tool to Android
Porting your favourite cmdline tool to AndroidPorting your favourite cmdline tool to Android
Porting your favourite cmdline tool to Android
Vlatko Kosturjak
 
Ripping web accessible .git files
Ripping web accessible .git filesRipping web accessible .git files
Ripping web accessible .git files
Vlatko Kosturjak
 
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCSWonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCS
Vlatko Kosturjak
 

Recommended

Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...
Puppet
 
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...
Tom Limoncelli
 
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data ExfiltrationWhat Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
CTruncer
 
Ever Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildEver Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the Wild
CTruncer
 
Volley Android
Volley AndroidVolley Android
Volley Android
zezzi Castillo
 
Porting your favourite cmdline tool to Android
Porting your favourite cmdline tool to AndroidPorting your favourite cmdline tool to Android
Porting your favourite cmdline tool to Android
Vlatko Kosturjak
 
Ripping web accessible .git files
Ripping web accessible .git filesRipping web accessible .git files
Ripping web accessible .git files
Vlatko Kosturjak
 
Wonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCSWonderful world of (distributed) SCM or VCS
Wonderful world of (distributed) SCM or VCS
Vlatko Kosturjak
 
We codeil save kermit
We codeil save kermitWe codeil save kermit
We codeil save kermit
Victor Trakhtenberg
 
Managing Windows Systems with Puppet - PuppetConf 2013
Managing Windows Systems with Puppet - PuppetConf 2013Managing Windows Systems with Puppet - PuppetConf 2013
Managing Windows Systems with Puppet - PuppetConf 2013
Puppet
 
Lessons learned from Node.js - Callbacks / Promises
Lessons learned from Node.js - Callbacks / PromisesLessons learned from Node.js - Callbacks / Promises
Lessons learned from Node.js - Callbacks / Promises
Jason K Yau
 
Around the PHP Community
Around the PHP CommunityAround the PHP Community
Around the PHP Community
Ben Ramsey
 
8-9-10=Jessie,Stretch,Buster
8-9-10=Jessie,Stretch,Buster8-9-10=Jessie,Stretch,Buster
8-9-10=Jessie,Stretch,Buster
Hideki Yamane
 
Debugging NET Applications With WinDBG
Debugging NET Applications With WinDBGDebugging NET Applications With WinDBG
Debugging NET Applications With WinDBG
Cory Foy
 
Having fun with Raspberry and Apache projects
Having fun with Raspberry and Apache projectsHaving fun with Raspberry and Apache projects
Having fun with Raspberry and Apache projects
Jean-Frederic Clere
 
Website Hacking Oldie
Website Hacking OldieWebsite Hacking Oldie
Website Hacking Oldie
Aung Khant
 
Open source applications softwares
Open source applications softwaresOpen source applications softwares
Open source applications softwares
Tushar B Kute
 
WeCode IL: Save Kermit
WeCode IL: Save KermitWeCode IL: Save Kermit
WeCode IL: Save Kermit
Victor Trakhtenberg
 
Is rust language really safe?
Is rust language really safe? Is rust language really safe?
Is rust language really safe?
Nullbyte Security Conference
 
Profile all the things! - Capital Go 2017
Profile all the things! - Capital Go 2017 Profile all the things! - Capital Go 2017
Profile all the things! - Capital Go 2017
John Potocny
 
Useful Vim Plugins
Useful Vim PluginsUseful Vim Plugins
Useful Vim Plugins
anveo
 
Symfony2 - A Short Introduction
Symfony2 - A Short IntroductionSymfony2 - A Short Introduction
Symfony2 - A Short Introduction
Andy Grunwald
 
Dynomite Eureka Registry With Prana
Dynomite Eureka Registry With PranaDynomite Eureka Registry With Prana
Dynomite Eureka Registry With Prana
Diego Pacheco
 
ProjectTox: Free as in freedom Skype replacement
ProjectTox: Free as in freedom Skype replacementProjectTox: Free as in freedom Skype replacement
ProjectTox: Free as in freedom Skype replacement
Wei-Ning Huang
 
Web socket with php v2
Web socket with php v2Web socket with php v2
Web socket with php v2
Leonardo Rifeli
 
Redis導入
Redis導入Redis導入
Redis導入
Kazuma Furuhashi
 
Webdevcon pierrejoye-php54-and-other
Webdevcon pierrejoye-php54-and-otherWebdevcon pierrejoye-php54-and-other
Webdevcon pierrejoye-php54-and-other
Pierre Joye
 
Building dsl using groovy
Building dsl using groovyBuilding dsl using groovy
Building dsl using groovy
Puneet Behl
 
OSDC 2017 | Mgmt Config: Autonomous systems by James Shubin
OSDC 2017 | Mgmt Config: Autonomous systems by James ShubinOSDC 2017 | Mgmt Config: Autonomous systems by James Shubin
OSDC 2017 | Mgmt Config: Autonomous systems by James Shubin
NETWAYS
 
OSDC 2017 - James Shubin - MGMT config autonomous systems
OSDC 2017 - James Shubin - MGMT config autonomous systemsOSDC 2017 - James Shubin - MGMT config autonomous systems
OSDC 2017 - James Shubin - MGMT config autonomous systems
NETWAYS
 

More Related Content

What's hot

Managing Windows Systems with Puppet - PuppetConf 2013
Managing Windows Systems with Puppet - PuppetConf 2013Managing Windows Systems with Puppet - PuppetConf 2013
Managing Windows Systems with Puppet - PuppetConf 2013
Puppet
 
Website Hacking Oldie
Website Hacking OldieWebsite Hacking Oldie
Website Hacking Oldie
Aung Khant
 
Useful Vim Plugins
Useful Vim PluginsUseful Vim Plugins
Useful Vim Plugins
anveo
 

What's hot (20)

We codeil save kermit
We codeil save kermitWe codeil save kermit
We codeil save kermit
 
Managing Windows Systems with Puppet - PuppetConf 2013
Managing Windows Systems with Puppet - PuppetConf 2013Managing Windows Systems with Puppet - PuppetConf 2013
Managing Windows Systems with Puppet - PuppetConf 2013
 
Lessons learned from Node.js - Callbacks / Promises
Lessons learned from Node.js - Callbacks / PromisesLessons learned from Node.js - Callbacks / Promises
Lessons learned from Node.js - Callbacks / Promises
 
Around the PHP Community
Around the PHP CommunityAround the PHP Community
Around the PHP Community
 
8-9-10=Jessie,Stretch,Buster
8-9-10=Jessie,Stretch,Buster8-9-10=Jessie,Stretch,Buster
8-9-10=Jessie,Stretch,Buster
 
Debugging NET Applications With WinDBG
Debugging NET Applications With WinDBGDebugging NET Applications With WinDBG
Debugging NET Applications With WinDBG
 
Having fun with Raspberry and Apache projects
Having fun with Raspberry and Apache projectsHaving fun with Raspberry and Apache projects
Having fun with Raspberry and Apache projects
 
Website Hacking Oldie
Website Hacking OldieWebsite Hacking Oldie
Website Hacking Oldie
 
Open source applications softwares
Open source applications softwaresOpen source applications softwares
Open source applications softwares
 
WeCode IL: Save Kermit
WeCode IL: Save KermitWeCode IL: Save Kermit
WeCode IL: Save Kermit
 
Is rust language really safe?
Is rust language really safe? Is rust language really safe?
Is rust language really safe?
 
Profile all the things! - Capital Go 2017
Profile all the things! - Capital Go 2017 Profile all the things! - Capital Go 2017
Profile all the things! - Capital Go 2017
 
Useful Vim Plugins
Useful Vim PluginsUseful Vim Plugins
Useful Vim Plugins
 
Symfony2 - A Short Introduction
Symfony2 - A Short IntroductionSymfony2 - A Short Introduction
Symfony2 - A Short Introduction
 
Dynomite Eureka Registry With Prana
Dynomite Eureka Registry With PranaDynomite Eureka Registry With Prana
Dynomite Eureka Registry With Prana
 
ProjectTox: Free as in freedom Skype replacement
ProjectTox: Free as in freedom Skype replacementProjectTox: Free as in freedom Skype replacement
ProjectTox: Free as in freedom Skype replacement
 
Web socket with php v2
Web socket with php v2Web socket with php v2
Web socket with php v2
 
Redis導入
Redis導入Redis導入
Redis導入
 
Webdevcon pierrejoye-php54-and-other
Webdevcon pierrejoye-php54-and-otherWebdevcon pierrejoye-php54-and-other
Webdevcon pierrejoye-php54-and-other
 
Building dsl using groovy
Building dsl using groovyBuilding dsl using groovy
Building dsl using groovy
 

Similar to Puppet Camp Boston 2014: Securely Managing Secrets with FreeIPA and Puppet (Intermediate)

Monitoring Behavioral Driven Infrastructures mit Cucumber-Nagios by Mike Adolphs
Monitoring Behavioral Driven Infrastructures mit Cucumber-Nagios by Mike AdolphsMonitoring Behavioral Driven Infrastructures mit Cucumber-Nagios by Mike Adolphs
Monitoring Behavioral Driven Infrastructures mit Cucumber-Nagios by Mike Adolphs
NETWAYS
 
Everyone Can Participate - Dr Nic Williams - Railssummit Brazil 2008
Everyone Can Participate - Dr Nic Williams - Railssummit Brazil 2008Everyone Can Participate - Dr Nic Williams - Railssummit Brazil 2008
Everyone Can Participate - Dr Nic Williams - Railssummit Brazil 2008
Dr Nic Williams
 
How We Won Gamedev By Rolling Our Own Tech (notes included)
How We Won Gamedev By Rolling Our Own Tech (notes included)How We Won Gamedev By Rolling Our Own Tech (notes included)
How We Won Gamedev By Rolling Our Own Tech (notes included)
Mihai Gosa
 
HackPittsburgh Updates For DevHousePgh
HackPittsburgh Updates For DevHousePghHackPittsburgh Updates For DevHousePgh
HackPittsburgh Updates For DevHousePgh
Marty McGuire
 
BSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|re
BSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|reBSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|re
BSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|re
Chandra Pratap
 
Securing the Web without site-specific passwords
Securing the Web without site-specific passwordsSecuring the Web without site-specific passwords
Securing the Web without site-specific passwords
Francois Marier
 

Similar to Puppet Camp Boston 2014: Securely Managing Secrets with FreeIPA and Puppet (Intermediate) (20)

OSDC 2017 | Mgmt Config: Autonomous systems by James Shubin
OSDC 2017 | Mgmt Config: Autonomous systems by James ShubinOSDC 2017 | Mgmt Config: Autonomous systems by James Shubin
OSDC 2017 | Mgmt Config: Autonomous systems by James Shubin
 
OSDC 2017 - James Shubin - MGMT config autonomous systems
OSDC 2017 - James Shubin - MGMT config autonomous systemsOSDC 2017 - James Shubin - MGMT config autonomous systems
OSDC 2017 - James Shubin - MGMT config autonomous systems
 
Berlinsides2017
Berlinsides2017Berlinsides2017
Berlinsides2017
 
a Sales Consultants guide to presenting and demos
a Sales Consultants guide to presenting and demosa Sales Consultants guide to presenting and demos
a Sales Consultants guide to presenting and demos
 
Empire Work shop
Empire Work shopEmpire Work shop
Empire Work shop
 
Monitoring Behavioral Driven Infrastructures mit Cucumber-Nagios by Mike Adolphs
Monitoring Behavioral Driven Infrastructures mit Cucumber-Nagios by Mike AdolphsMonitoring Behavioral Driven Infrastructures mit Cucumber-Nagios by Mike Adolphs
Monitoring Behavioral Driven Infrastructures mit Cucumber-Nagios by Mike Adolphs
 
Everyone Can Participate - Dr Nic Williams - Railssummit Brazil 2008
Everyone Can Participate - Dr Nic Williams - Railssummit Brazil 2008Everyone Can Participate - Dr Nic Williams - Railssummit Brazil 2008
Everyone Can Participate - Dr Nic Williams - Railssummit Brazil 2008
 
How We Won Gamedev By Rolling Our Own Tech (notes included)
How We Won Gamedev By Rolling Our Own Tech (notes included)How We Won Gamedev By Rolling Our Own Tech (notes included)
How We Won Gamedev By Rolling Our Own Tech (notes included)
 
Advanced View of Projects Raspberry Pi List - Raspberry PI Projects (1).pdf
Advanced View of Projects Raspberry Pi List - Raspberry PI Projects (1).pdfAdvanced View of Projects Raspberry Pi List - Raspberry PI Projects (1).pdf
Advanced View of Projects Raspberry Pi List - Raspberry PI Projects (1).pdf
 
PuppetConf 2016: Puppet Troubleshooting – Thomas Uphill, Wells Fargo
PuppetConf 2016: Puppet Troubleshooting – Thomas Uphill, Wells FargoPuppetConf 2016: Puppet Troubleshooting – Thomas Uphill, Wells Fargo
PuppetConf 2016: Puppet Troubleshooting – Thomas Uphill, Wells Fargo
 
My talk on Piter Py 2016
My talk on Piter Py 2016My talk on Piter Py 2016
My talk on Piter Py 2016
 
HackPittsburgh Updates For DevHousePgh
HackPittsburgh Updates For DevHousePghHackPittsburgh Updates For DevHousePgh
HackPittsburgh Updates For DevHousePgh
 
One hour application - PHP Quebec Conference 2009
One hour application - PHP Quebec Conference 2009One hour application - PHP Quebec Conference 2009
One hour application - PHP Quebec Conference 2009
 
HoneyPy & HoneyDB (CarolinaCon 13)
HoneyPy & HoneyDB (CarolinaCon 13)HoneyPy & HoneyDB (CarolinaCon 13)
HoneyPy & HoneyDB (CarolinaCon 13)
 
BSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|re
BSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|reBSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|re
BSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|re
 
DevSecCon Boston 2018: My rage quit journey: configuring Netflix tools by Sar...
DevSecCon Boston 2018: My rage quit journey: configuring Netflix tools by Sar...DevSecCon Boston 2018: My rage quit journey: configuring Netflix tools by Sar...
DevSecCon Boston 2018: My rage quit journey: configuring Netflix tools by Sar...
 
Pentesting an unfriendly environment: bypassing (un)common defences and mate ...
Pentesting an unfriendly environment: bypassing (un)common defences and mate ...Pentesting an unfriendly environment: bypassing (un)common defences and mate ...
Pentesting an unfriendly environment: bypassing (un)common defences and mate ...
 
Your money, your media a DRMtastic (reverse|re) eng. tutorial
Your money, your media a DRMtastic (reverse|re) eng. tutorialYour money, your media a DRMtastic (reverse|re) eng. tutorial
Your money, your media a DRMtastic (reverse|re) eng. tutorial
 
Securing the Web without site-specific passwords
Securing the Web without site-specific passwordsSecuring the Web without site-specific passwords
Securing the Web without site-specific passwords
 
HoneyPy & HoneyDB (LASCON 2016)
HoneyPy & HoneyDB (LASCON 2016)HoneyPy & HoneyDB (LASCON 2016)
HoneyPy & HoneyDB (LASCON 2016)
 

More from Puppet

Puppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepoPuppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepo
Puppet
 
2021 04-15 operational verification (with notes)
2021 04-15 operational verification (with notes)2021 04-15 operational verification (with notes)
2021 04-15 operational verification (with notes)
Puppet
 
Enforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automationEnforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automation
Puppet
 
Automating it management with Puppet + ServiceNow
Automating it management with Puppet + ServiceNowAutomating it management with Puppet + ServiceNow
Automating it management with Puppet + ServiceNow
Puppet
 
Simplified Patch Management with Puppet - Oct. 2020
Simplified Patch Management with Puppet - Oct. 2020Simplified Patch Management with Puppet - Oct. 2020
Simplified Patch Management with Puppet - Oct. 2020
Puppet
 

More from Puppet (20)

Puppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepoPuppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepo
 
Puppetcamp r10kyaml
Puppetcamp r10kyamlPuppetcamp r10kyaml
Puppetcamp r10kyaml
 
2021 04-15 operational verification (with notes)
2021 04-15 operational verification (with notes)2021 04-15 operational verification (with notes)
2021 04-15 operational verification (with notes)
 
Puppet camp vscode
Puppet camp vscodePuppet camp vscode
Puppet camp vscode
 
Modules of the twenties
Modules of the twentiesModules of the twenties
Modules of the twenties
 
Applying Roles and Profiles method to compliance code
Applying Roles and Profiles method to compliance codeApplying Roles and Profiles method to compliance code
Applying Roles and Profiles method to compliance code
 
KGI compliance as-code approach
KGI compliance as-code approachKGI compliance as-code approach
KGI compliance as-code approach
 
Enforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automationEnforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automation
 
Keynote: Puppet camp compliance
Keynote: Puppet camp complianceKeynote: Puppet camp compliance
Keynote: Puppet camp compliance
 
Automating it management with Puppet + ServiceNow
Automating it management with Puppet + ServiceNowAutomating it management with Puppet + ServiceNow
Automating it management with Puppet + ServiceNow
 
Puppet: The best way to harden Windows
Puppet: The best way to harden WindowsPuppet: The best way to harden Windows
Puppet: The best way to harden Windows
 
Simplified Patch Management with Puppet - Oct. 2020
Simplified Patch Management with Puppet - Oct. 2020Simplified Patch Management with Puppet - Oct. 2020
Simplified Patch Management with Puppet - Oct. 2020
 
Accelerating azure adoption with puppet
Accelerating azure adoption with puppetAccelerating azure adoption with puppet
Accelerating azure adoption with puppet
 
Puppet catalog Diff; Raphael Pinson
Puppet catalog Diff; Raphael PinsonPuppet catalog Diff; Raphael Pinson
Puppet catalog Diff; Raphael Pinson
 
ServiceNow and Puppet- better together, Kevin Reeuwijk
ServiceNow and Puppet- better together, Kevin ReeuwijkServiceNow and Puppet- better together, Kevin Reeuwijk
ServiceNow and Puppet- better together, Kevin Reeuwijk
 
Take control of your dev ops dumping ground
Take control of your dev ops dumping groundTake control of your dev ops dumping ground
Take control of your dev ops dumping ground
 
100% Puppet Cloud Deployment of Legacy Software
100% Puppet Cloud Deployment of Legacy Software100% Puppet Cloud Deployment of Legacy Software
100% Puppet Cloud Deployment of Legacy Software
 
Puppet User Group
Puppet User GroupPuppet User Group
Puppet User Group
 
Continuous Compliance and DevSecOps
Continuous Compliance and DevSecOpsContinuous Compliance and DevSecOps
Continuous Compliance and DevSecOps
 
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick MaludyThe Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
 

Recently uploaded

%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
masabamasaba
 
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
chiefasafspells
 
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
masabamasaba
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
Presentation.STUDIO
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
VictoriaMetrics
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
masabamasaba
 
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
masabamasaba
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
shinachiaurasa2
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
 

Recently uploaded (20)

%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
 
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
 
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
 
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
 
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxArtyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptx
 
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare
 
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 

Puppet Camp Boston 2014: Securely Managing Secrets with FreeIPA and Puppet (Intermediate)

  • 1. Securely managing secrets with FreeIPA and Puppet James Shubin, @purpleidea Config Mgmt. Architect Systems Engineering Group, Red Hat Puppet Camp, Boston 2014 1 JAMES SHUBIN
  • 2. Who am I ? ● Puppet Hacker ● Config Mgmt. Architect @ Red Hat ● Technical Blogger: The Technical Blog of James https://ttboj.wordpress.com/ ● Physiologist (Cardiology Specialization) ● All around hoopy frood... 2 JAMES SHUBIN
  • 3. 3 the status-quo of secret management in puppet is pretty poor... JAMES SHUBIN
  • 4. Example 1 class { '::foo': password => 'super-secret-thing', bad_idea => true, } 4 JAMES SHUBIN
  • 6. Example 2 class { '::foo': hashed => '$1$mF86/UHC$WvcIcX2t6crBz2onW...', bad_idea => true, } 6 JAMES SHUBIN
  • 8. Example 3 # secret.yaml --- foo::params::password: 'ohai' foo::params::bad_idea: true 8 JAMES SHUBIN
  • 10. there are some solutions which are better than others, but they are still not perfect... 10 JAMES SHUBIN
  • 11. hiera-gpg ● Cute, but private key management can be a problem... ● Probably a good idea for existing infrastructures, where you have one repo that is widely shared... ● Other issues: http://slashdevslashrandom.wordpress.com/2013/06/0 3/my-griefs-with-hiera-gpg/ ● Code: https://github.com/crayfishx/hiera-gpg 11 JAMES SHUBIN
  • 12. hiera-eyaml ● Better than hiera-gpg ! ● Still has a private key management problem... ● Comes with nice secret editing tools... ● We still have to trust puppet more than necessary... ● Code: https://github.com/TomPoulton/hiera-eyaml 12 JAMES SHUBIN
  • 13. blackbox ● Same problems as all the other asymmetric solutions ● Nice documentation ! ● Honest and upfront about the risks... ● Comes with 20% more Limoncelli :) ● Code: https://github.com/StackExchange/blackbox 13 JAMES SHUBIN
  • 14. 14 do I love any of these solutions ? JAMES SHUBIN
  • 15. NOPE 15 JAMES SHUBIN
  • 17. Local secret generation ● Good DevOps hackers use/know/love GPG (PGP) ● Tell puppet about your public key ● Locally generate and encrypt secrets with public key ● Optionally mail it out to your admin email address ● Use FreeIPA to build out your security infrastructure 17 JAMES SHUBIN
  • 19. Red Hat funds good hackers so that we can... ● Work on open source / free software things... ● Speak at events like this... ● Hack on good products and solutions... ● For access to products, solutions, and support, visit: ht tps: / / redhat .com/ 19 JAMES SHUBIN
  • 20. Learn more ● The Technical Blog of James: https://ttboj.wordpress.com/ ● Puppet-IPA: https://github.com/purpleidea/puppet-ipa ● Technical article about this technique: https://ttboj.wordpress.com/2014/06/06/securely-managing- secrets-for-freeipa-with-puppet/ ● Contact me if you have any other questions: purpleidea @ { irc, twitter, redhat.com } 20 JAMES SHUBIN
  • 21. Q & A ? JAMES SHUBIN
  • 22. Thank you & Happy Hacking ! JAMES SHUBIN