Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
MANAGE DISTRIBUTED CONFIGURATION AND SECRETS
WITH SPRING CLOUD AND VAULT
Andreas Falk
Friday 19th May, 2017
1
ANDREAS FALK
http://www.novatec-gmbh.de
andreas.falk@novatec-gmbh.de
@NT_AQE, @andifalk
2
AGENDA
3
4
A6: SENSITIVE DATA EXPOSURE
https://github.com/OWASP/Top10
5
TYPICAL SENSITIVE DATA
PASSWORDS
DATABASE CREDENTIALS
OAUTH2 CLIENT SECRETS
ENCRYPTION KEYS
SENSITIVE USER DATA
CREDIT CAR...
APPLICATION PROPERTIES
DATABASE ACCESS CREDENTIALS
spring.datasource.url=jdbc:postgresql://localhost/test
spring.datasourc...
SPRING CLOUD CONFIG
https://cloud.spring.io/spring-cloud-con g
8 . 1
SPRING CLOUD CONFIG
Externalized con guration in a distributed system
HTTP, resource-based API
Supports property le and YA...
8 . 3
GRADLE DEPENDENCIES
ext {
springCloudVersion = 'Dalston.RELEASE'
}
dependencies {
compile('org.springframework.cloud:
spri...
SPRING CLOUD CONFIG SERVER
JUST ONE ADDITIONAL ANNOTATION
@EnableConfigServer
@SpringBootApplication
public class ConfigSe...
SPRING CLOUD CONFIG SERVER
CONFIGURATION
spring.cloud.config.server.git.uri=
https://github.com/andifalk/cloud-config-repo...
SPRING CLOUD CONFIG
ENCRYPTION AND DECRYPTION
https://cloud.spring.io/spring-cloud-static/Dalston.RELEASE/#_security
9 . 1
SPRING CLOUD CONFIG SERVER
SYMMETRIC KEY CONFIGURATION
encrypt.key=MyVerySecureEncryptionKey
9 . 2
SPRING CLOUD CONFIG SERVER
ASYMMETRIC KEY CONFIGURATION
encrypt.key-store.location=classpath:configserver.jks
encrypt.key-...
SPRING CLOUD CONFIG SERVER
ENCRYPTING DATA
$ curl -u admin:secret -d test http://localhost:8888/encrypt
AQAx/RH8tiJj9V43l4...
SPRING CLOUD CONFIG SERVER
DECRYPTING DATA
$ curl localhost:8888/decrypt -u admin:secret -d AQAx/RH8tiJj9V43l4
dwAxhh0bXGP...
SPRING CLOUD CONFIG SERVER
ENCRYPTED SENSITIVE PROPERTY VALUES
secretkey={cipher}AQBcFzU3gDVVdj0P2uX/60LzeFqQi8Bo2sCTOiiMS...
DEMO
9 . 7
VAULT
10 . 1
KEY MANAGEMENT
10 . 2
SECRET STORAGE
KEY REVOCATION
KEY ROLLING
AUDIT LOGS
https://www.vaultproject.io/
10 . 3
10 . 4
SECRET STORAGE
ENCRYPTION (AES CYPHER)
DYNAMIC SECRETS
ACCESS CONTROL POLICIES
LEASE TIME (AUTOMATIC REVOCATION)
10 . 5
AUDIT LOGS
NOT ACTIVE BY DEFAULT
SENSITIVE DATA HASHED (HMAC-SHA256)
TARGETS: FILE, SYSLOG, SOCKET
...
,"path":"secret/hel...
AUTHENTICATION
TOKEN (DEFAULT)
APPID
APPROLE
TLS CLIENT CERTIFICATE
AWS, GITHUB, ...
10 . 7
ROTATE, REPAIR,
REPAVE
JUSTIN SMITH (PIVOTAL)
10 . 8
SECRET BACKENDS
GETTING DYNAMIC CREDENTIALS (WITH LEASE TIME)
AWS
CONSUL
MONGODB
DATABASES (MYSQL, POSTGRESQL, CASSANDRA)
...
10 . 10
START VAULT SERVER
memory.conf
$ vault server -config=./memory.conf
storage "inmem" {
}
listener "tcp" {
address = "127.0....
10 . 12
INITIALIZE VAULT SERVER
$ vault init -key-shares=5 -key-threshold=2
Unseal Key 1: v236b4yJQDnaJ3EmkOhycZTcxTJfMbNeILqxWfRp...
UNSEAL VAULT SERVER
$ vault unseal v236b4yJQDnaJ3EmkOhycZTcxTJfMbNeILqxWfRpzGn0
Sealed: true
Key Shares: 5
Key Threshold: ...
AUTHENTICATE WITH VAULT SERVER
$ vault auth 68a80410-e315-fc39-d1ad-9864e169a47f
Successfully authenticated! You are now l...
WRITE AND READ SECRETS
$ vault write secret/mysecret hello=world
Success! Data written to: secret/mysecret
$ vault read se...
DEMO
10 . 17
SPRING CLOUD VAULT
https://cloud.spring.io/spring-cloud-vault
11 . 1
GRADLE DEPENDENCIES
ext {
springCloudVersion = 'Dalston.RELEASE'
}
dependencies {
compile('org.springframework.cloud:
spri...
SECRET DATA MAPPING
BOOTSTRAP.PROPERTIES
MAPPED SECRET PATHS IN VAULT
spring.cloud.vault.generic.application-name =
applic...
DEMO
11 . 4
ROTATE DATABASE CREDENTIALS
BOOTSTRAP.YML
spring.cloud.vault:
postgresql:
enabled: true
role: readonly
backend: postgresql...
11 . 6
SPRING CLOUD CONFIG VAULT
ENVIRONMENT REPOSITORY
APPLICATION.PROPERTIES (CONFIG SERVER)
BOOTSTRAP.PROPERTIES (CLIENT)
spri...
TARGET ACHIEVED?
12
REFERENCES
All images used are from and are published under
All used logos are trademarks of corresponding companies
Sprin...
Q&A
http://www.novatec-gmbh.de
http://blog.novatec-gmbh.de
andreas.falk@novatec-gmbh.de
@NT_AQE, @andifalk
14
Upcoming SlideShare
Loading in …5
×

Manage distributed configuration and secrets with spring cloud and vault (Spring I/O 2017)

3,450 views

Published on

Manage distributed configuration and secrets with Spring Cloud Configuration and Spring Cloud Vault.
- Spring Cloud Configuration
- Encrypting/Decrypting sensitive property values
- Vault
- Spring Cloud Vault

Published in: Technology
  • Sex in your area is here: ❶❶❶ http://bit.ly/2u6xbL5 ❶❶❶
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Follow the link, new dating source: ❶❶❶ http://bit.ly/2u6xbL5 ❶❶❶
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD THAT BOOKS INTO AVAILABLE FORMAT (2019 Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download Full EPUB Ebook here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download Full doc Ebook here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download PDF EBOOK here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download EPUB Ebook here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download doc Ebook here { http://bit.ly/2m6jJ5M } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book that can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer that is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBooks .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story That Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money That the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths that Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Manage distributed configuration and secrets with spring cloud and vault (Spring I/O 2017)

  1. 1. MANAGE DISTRIBUTED CONFIGURATION AND SECRETS WITH SPRING CLOUD AND VAULT Andreas Falk Friday 19th May, 2017 1
  2. 2. ANDREAS FALK http://www.novatec-gmbh.de andreas.falk@novatec-gmbh.de @NT_AQE, @andifalk 2
  3. 3. AGENDA 3
  4. 4. 4
  5. 5. A6: SENSITIVE DATA EXPOSURE https://github.com/OWASP/Top10 5
  6. 6. TYPICAL SENSITIVE DATA PASSWORDS DATABASE CREDENTIALS OAUTH2 CLIENT SECRETS ENCRYPTION KEYS SENSITIVE USER DATA CREDIT CARD NUMBERS 6
  7. 7. APPLICATION PROPERTIES DATABASE ACCESS CREDENTIALS spring.datasource.url=jdbc:postgresql://localhost/test spring.datasource.username=root spring.datasource.password=mysupersecretpassword 7
  8. 8. SPRING CLOUD CONFIG https://cloud.spring.io/spring-cloud-con g 8 . 1
  9. 9. SPRING CLOUD CONFIG Externalized con guration in a distributed system HTTP, resource-based API Supports property le and YAML formats Encrypt and decrypt property values https://cloud.spring.io/spring-cloud-con g 8 . 2
  10. 10. 8 . 3
  11. 11. GRADLE DEPENDENCIES ext { springCloudVersion = 'Dalston.RELEASE' } dependencies { compile('org.springframework.cloud: spring-cloud-config-server') } dependencyManagement { imports { mavenBom "org.springframework.cloud: spring-cloud-dependencies:${springCloudVersion}" } } 8 . 4
  12. 12. SPRING CLOUD CONFIG SERVER JUST ONE ADDITIONAL ANNOTATION @EnableConfigServer @SpringBootApplication public class ConfigServerApplication { public static void main(String[] args) { SpringApplication.run( ConfigServerApplication.class, args); } } 8 . 5
  13. 13. SPRING CLOUD CONFIG SERVER CONFIGURATION spring.cloud.config.server.git.uri= https://github.com/andifalk/cloud-config-repository server.port=8888 security.basic.enabled=true security.user.name=admin security.user.password=secret 8 . 6
  14. 14. SPRING CLOUD CONFIG ENCRYPTION AND DECRYPTION https://cloud.spring.io/spring-cloud-static/Dalston.RELEASE/#_security 9 . 1
  15. 15. SPRING CLOUD CONFIG SERVER SYMMETRIC KEY CONFIGURATION encrypt.key=MyVerySecureEncryptionKey 9 . 2
  16. 16. SPRING CLOUD CONFIG SERVER ASYMMETRIC KEY CONFIGURATION encrypt.key-store.location=classpath:configserver.jks encrypt.key-store.alias=configserver encrypt.key-store.password=secret encrypt.key-store.secret=secret 9 . 3
  17. 17. SPRING CLOUD CONFIG SERVER ENCRYPTING DATA $ curl -u admin:secret -d test http://localhost:8888/encrypt AQAx/RH8tiJj9V43l4dwAxhh0bXGPYa2UjRGOM8s5z2EmCXWRU5DLPzxGptF08nEo kE+BfZPm4A3vco3volhWdYQcCAFguX+6LOvoxewv5AyfkIt1E0bTc7sa4wSSeBGG4 SZ1K/nkto4e6jH+5tktLiPpXoABzvy3YsAgXZ6j5zUM320cWEd4QBSoB0mYP5Kfsq EFbFEUBm2wMyUSFB4/NXn5apn8KZ2c2WTAj/jZlrg/jI4Sz094zDzRaM+iZuqHjaU xVng+3dTsz9DQ9rhfWFllmrtUyoKwgNWLuegV6neDsHGdz7F1bucvJ2CzEZb3tp76 K2RrP0m9KPesTZMtbUH2/g9uUDORh/95P1s+dRt0QznwlXshtnb8Hu3i7GdkmA= 9 . 4
  18. 18. SPRING CLOUD CONFIG SERVER DECRYPTING DATA $ curl localhost:8888/decrypt -u admin:secret -d AQAx/RH8tiJj9V43l4 dwAxhh0bXGPYa2UjRGOM8s5z2EmCXWRU5DLPzxGptF08nEokE+BfZPm4A3vco3vol hWdYQcCAFguX+6LOvoxewv5AyfkIt1E0bTc7sa4wSSeBGG4SZ1K/nkto4e6jH+5tk tLiPpXoABzvy3YsAgXZ6j5zUM320cWEd4QBSoB0mYP5KfsqEFbFEUBm2wMyUSFB4/ NXn5apn8KZ2c2WTAj/jZlrg/jI4Sz094zDzRaM+iZuqHjaUxVng+3dTsz9DQ9rhfW FllmrtUyoKwgNWLuegV6neDsHGdz7F1bucvJ2CzEZb3tp76K2RrP0m9KPesTZMtbU H2/g9uUDORh/95P1s+dRt0QznwlXshtnb8Hu3i7GdkmA= test 9 . 5
  19. 19. SPRING CLOUD CONFIG SERVER ENCRYPTED SENSITIVE PROPERTY VALUES secretkey={cipher}AQBcFzU3gDVVdj0P2uX/60LzeFqQi8Bo2sCTOiiMSe+w Yq4f0smM8HES0TKesr8Nms+EqgV5t9Rld7PGALjVUAAfHjAf6WS1yYz3K+ NvXrgu8umjOyRDxfKBh5OH2jvYX+EiKv/JgwDeUg3TXnTnsheh3Mim0dSu fkojbBlWxO8HsfW5z1qG9tLSlHnWvtcpIGLdRAUwfcKw+/1SViuYxwi/p9 H+J/SOomr4hjjnCuaFITa0zfQc4XTLOrGxW64dhghDvCgu3BxMe0TRaBci Ugkqka4zgBmzge0kw7r82b84GELmDGpjDp7HRUB+cVHqzZXuQzQB9vCjq1 xI19e6ZQm62DkOxaqtafGxqw+VmyFl1+XYEs1k2lWkiUMVyJyiixI= 9 . 6
  20. 20. DEMO 9 . 7
  21. 21. VAULT 10 . 1
  22. 22. KEY MANAGEMENT 10 . 2
  23. 23. SECRET STORAGE KEY REVOCATION KEY ROLLING AUDIT LOGS https://www.vaultproject.io/ 10 . 3
  24. 24. 10 . 4
  25. 25. SECRET STORAGE ENCRYPTION (AES CYPHER) DYNAMIC SECRETS ACCESS CONTROL POLICIES LEASE TIME (AUTOMATIC REVOCATION) 10 . 5
  26. 26. AUDIT LOGS NOT ACTIVE BY DEFAULT SENSITIVE DATA HASHED (HMAC-SHA256) TARGETS: FILE, SYSLOG, SOCKET ... ,"path":"secret/hello","data":null,"remote_address":"127.0.0.1" ,"wrap_ttl":0,"headers":{}},"response":{"secret":{"lease_id":""} ,"data":{"value":"hmac-sha256:213d0d2572fe27ffd0cd2d97cf009c2d0 2e97b5af3f81b9af41f593982ffae8c"}},"error":""} 10 . 6
  27. 27. AUTHENTICATION TOKEN (DEFAULT) APPID APPROLE TLS CLIENT CERTIFICATE AWS, GITHUB, ... 10 . 7
  28. 28. ROTATE, REPAIR, REPAVE JUSTIN SMITH (PIVOTAL) 10 . 8
  29. 29. SECRET BACKENDS GETTING DYNAMIC CREDENTIALS (WITH LEASE TIME) AWS CONSUL MONGODB DATABASES (MYSQL, POSTGRESQL, CASSANDRA) RABBITMQ, AND MANY MORE... 10 . 9
  30. 30. 10 . 10
  31. 31. START VAULT SERVER memory.conf $ vault server -config=./memory.conf storage "inmem" { } listener "tcp" { address = "127.0.0.1:8200" tls_disable = 1 } disable_mlock = true 10 . 11
  32. 32. 10 . 12
  33. 33. INITIALIZE VAULT SERVER $ vault init -key-shares=5 -key-threshold=2 Unseal Key 1: v236b4yJQDnaJ3EmkOhycZTcxTJfMbNeILqxWfRpzGn0 Unseal Key 2: g1tV/d4vp7VVbOu93aHrHZt41xE5YtX7yYBsFMIXGHCf Unseal Key 3: rAI5FwrVF8XFUD7BOtTer9bL4A39HxHhnXQo85uSyphf Unseal Key 4: kDSWhVhz8ElKG6Rad51Hw9lv8i6bTHdEdE71vq3sHoE0 Unseal Key 5: 4KUY7CS+UBi5lxlwpCRY+sWXdPFDp68rX2F6bTxT0nHF Initial Root Token: 68a80410-e315-fc39-d1ad-9864e169a47f Please securely distribute the above keys. When the vault is re-sealed, restarted, or stopped, you must provide at least 2 of these keys to unseal it again. Vault does not store the master key. Without at least 2 keys, your vault will remain permanently sealed. 10 . 13
  34. 34. UNSEAL VAULT SERVER $ vault unseal v236b4yJQDnaJ3EmkOhycZTcxTJfMbNeILqxWfRpzGn0 Sealed: true Key Shares: 5 Key Threshold: 2 Unseal Progress: 1 Unseal Nonce: 3a7f80b8-9aa4-2338-8a0a-0295331962d7 $ vault unseal rAI5FwrVF8XFUD7BOtTer9bL4A39HxHhnXQo85uSyphf Sealed: false Key Shares: 5 Key Threshold: 2 Unseal Progress: 0 Unseal Nonce: 10 . 14
  35. 35. AUTHENTICATE WITH VAULT SERVER $ vault auth 68a80410-e315-fc39-d1ad-9864e169a47f Successfully authenticated! You are now logged in. token: 68a80410-e315-fc39-d1ad-9864e169a47f token_duration: 0 token_policies: [root] 10 . 15
  36. 36. WRITE AND READ SECRETS $ vault write secret/mysecret hello=world Success! Data written to: secret/mysecret $ vault read secret/mysecret Key Value --- ----- refresh_interval 768h0m0s hello world 10 . 16
  37. 37. DEMO 10 . 17
  38. 38. SPRING CLOUD VAULT https://cloud.spring.io/spring-cloud-vault 11 . 1
  39. 39. GRADLE DEPENDENCIES ext { springCloudVersion = 'Dalston.RELEASE' } dependencies { compile('org.springframework.cloud: spring-cloud-starter-vault-config') } dependencyManagement { imports { mavenBom "org.springframework.cloud: spring-cloud-dependencies:${springCloudVersion}" } } 11 . 2
  40. 40. SECRET DATA MAPPING BOOTSTRAP.PROPERTIES MAPPED SECRET PATHS IN VAULT spring.cloud.vault.generic.application-name = application1,additional/keys #spring.cloud.vault.application-name = ... #spring.application.name = ... /secret/application1 /secret/application1/myprofile /secret/additional/keys /secret/application /secret/application/myprofile 11 . 3
  41. 41. DEMO 11 . 4
  42. 42. ROTATE DATABASE CREDENTIALS BOOTSTRAP.YML spring.cloud.vault: postgresql: enabled: true role: readonly backend: postgresql username-property: spring.datasource.username password-property: spring.datasource.username 11 . 5
  43. 43. 11 . 6
  44. 44. SPRING CLOUD CONFIG VAULT ENVIRONMENT REPOSITORY APPLICATION.PROPERTIES (CONFIG SERVER) BOOTSTRAP.PROPERTIES (CLIENT) spring.profiles.active=vault spring.cloud.config.server.vault.host=127.0.0.1 spring.cloud.config.server.vault.port=8200 spring.cloud.config.server.vault.scheme=https spring.cloud.config.token = YourVaultToken 11 . 7
  45. 45. TARGET ACHIEVED? 12
  46. 46. REFERENCES All images used are from and are published under All used logos are trademarks of corresponding companies Spring Cloud Con g (https://cloud.spring.io/spring-cloud-con g/) Spring Cloud Con g Security (http://cloud.spring.io/spring-cloud-static/spring-cloud- con g/1.3.0.RELEASE/#_security) Shamir's secret sharing algorithm (https://en.wikipedia.org/wiki/Shamir's_Secret_Sharing) Spring Cloud Vault (https://cloud.spring.io/spring-cloud-vault) Vault (https://www.vaultproject.io) Cloud Foundry Vault Service Broker (https://www.hashicorp.com/blog/cloud-foundry- vault-service-broker) Cloud Native Key Management — Justin Smith (https://www.youtube.com/watch? v=MvPIthr4kXA&t=1601s) Sources and Presentation (https://github.com/andifalk/distributed-secure-con guration) Pixabay Creative Commons CC0 license. 13
  47. 47. Q&A http://www.novatec-gmbh.de http://blog.novatec-gmbh.de andreas.falk@novatec-gmbh.de @NT_AQE, @andifalk 14

×