SlideShare a Scribd company logo

Adopting HashiCorp Vault

Nicolas Corrarello
Nicolas Corrarello

What does Day 0 with Vault secrets management look like? What about Day 1? 2? N? This talk gives you a detailed look at typical Vault user progressions that provide the most successful deployments for customers

Software
1 of 27
Download to read offline
Copyright © 2018 HashiCorp Adopting HashiCorp Vault Deployment, adoption and beyond. Version: 1119.18
Nicolas Corrarello Regional Director, Solutions Engineering Whoami Copyright © 2018 HashiCorp ⁄⁄ Vault open source contributor 2+ years in HashiCorp Can’t honestly remember when I started using HashiCorp tools !2 Helped operationalise a number of large deployments ncorrare nicolas@hashicorp.com
Large scale Vault deployments Centralised capability, consumed by many groups What are we talking about? Copyright © 2018 HashiCorp ⁄⁄ 1 2 !3 No wire-boarding required Local and multi-geo scaling solutions 3 Fully supported and up to best practice 4 No friction 5 Vault as a capability, not a tool Masking a problem vs addressing it 6 Pragmatic vs. Dogmatic Sanely running open source vs letting HashiCorp solve the problem for you 7 Properly document and HashiCorp sanctioned Yay! Documentation!
Copyright © 2018 HashiCorp ⁄ Day 0: Vault what?? !4
secret /ˈsiːkrɪt/ Copyright © 2018 HashiCorp ⁄ !5 adjective
 not known or seen or not meant to be known or seen by others."how did you guess I'd got a secret plan?" synonyms: 1.confidential, strictly confidential, top secret, classified, restricted, unrevealed, undisclosed, unpublished, untold, unk nown, uncommunicated, behind someone's back, under wraps, unofficial, off the record, not for publication/circulation, not to be made public, not to be disclosed; More noun
 something that is kept or meant to be kept unknown or unseen by others."a state secret" synonyms: 1.confidential matter, confidence, private affair, skeleton in the cupboard, ”he just can't keep a secret” origin late Middle English: from Old French, from Latin secretus (adjective) ‘separate, set apart’, from the verb secernere, from se- ‘apart’ + cernere ‘sift’.
 
 
 
 / DAY ZERO
Keeping secrets Copyright © 2018 HashiCorp ⁄ !6 API Audit Static Secrets Dynamic Secrets EaaS LDAP / AD GitHub Okta MFA / Radius AWS / Azure / GCP Kubernetes TLS JWT AppRole Identity “What kind of secret can I access?” “To do what?” Policy & Governance “Under what conditions?” MySQL / PostgreSQL Oracle / MSSQL / SAP Hana Cassandra / MongoDB Cloud (AWS / GCP / Azure) SSH / AD PKI Encrypt / Decrypt Sign / Verify HMAC / Hash Entropy / DAY ZERO
Vault Cryptographic Model So what encrypts what now? Copyright © 2018 HashiCorp ⁄ !7/ DAY ZERO Transport - TLS 1.2 or higher Storage - AES 256 B A R R I E R Storage Key Master Key Seal
Single Site HA Deployment Copyright © 2018 HashiCorp ⁄⁄ USE CASE: INFRASTRUCTURE AS CODE !8
Multi-Site HA Deployment Copyright © 2018 HashiCorp ⁄⁄ USE CASE: INFRASTRUCTURE AS CODE !9
Copyright © 2018 HashiCorp ⁄ Day One: Let’s get it running !10
Immutable is preferred More secure, less prone to having someone SSH into the system and poke memory Installing Vault Copyright © 2018 HashiCorp ⁄⁄ 1 2 !11 Configuration management helps Roles / modules / cookbooks available in your nearest registry 3 SELinux is not just for disabling 4 Vault is released quarterly, with minor releases monthly 5 Consul can help with Load Balancing Patterns available in our deployment guide 6 Telemetry & Audit Bring your ELK 7 Backup / Restore
Individual node failure In case of an individual node failure, or up to two node failures, the solution will continue to run without operator intervention.Recovery Scenarios Copyright © 2018 HashiCorp ⁄⁄ 1 2 !12 Cluster Failure If the Vault cluster fails, it can be reprovisioned using the same Storage Backend configuration. 3 Consul node failure In case of an individual node failure, or up to two node failures, the solution will continue to run without operator intervention. 4 Consul quorum loss If the Consul cluster were to lose quorum, there are alternatives to regain service availability, although the recommended approach from an RTO/RPO perspective is to fail over to a DR Cluster or promote a Performance Replica. 5 Seal key failure If the Seal Key was to be deleted or unavailable, the only supported scenario is failing over to a DR Cluster or Performance Replica. 6
Initialization Ceremony Copyright © 2018 HashiCorp ⁄⁄ !13
Operator The team or individuals charged with keeping Vault running. Traditionally the team that either works with Cloud account provisioning, SREs or Infrastructure team. Organisational roles Who does who? Copyright © 2018 HashiCorp ⁄⁄ USE CASE: INFRASTRUCTURE AS CODE 1 Consumer Anyone that needs a secret! 2 Infosec / Crypto Key handling, rotation. Review architecture and policies. 3 Audit Review logs and metrics 4 !14
Copyright © 2018 HashiCorp ⁄ Day Two: Operationalise and consume !15
Namespaces Copyright © 2018 HashiCorp ⁄⁄ !16 Not always the preferred choice Organisational maturity has weigh ins 1 2 Most friction-less approach From Vault silos to centralised capability
Secure introduction What do you trust? Copyright © 2018 HashiCorp ⁄⁄ USE CASE: INFRASTRUCTURE AS CODE !17 AUTHENTICATE IDENTITY Against Trusted Identity Providers Authentication Identity-Based Access/Backends Client Secrets Secrets Management/Backends
API Direct call to Vault Consuming secrets Copyright © 2018 HashiCorp ⁄⁄ USE CASE: INFRASTRUCTURE AS CODE 1 Templating Rendering secrets on configuration files 2 Environment Variables3 3rd Party Pass Through Use response wrapping! 4 !18
Transit Key Officers Copyright © 2018 HashiCorp ⁄⁄ !19 ## Crypto officers # Create key material, non deletable, non exportable in unencrypted fashion, only aes-256 or rsa-4096 path "/transit/keys" { capabilities = ["create", "update"] allowed_parameters = { "allow_plaintext_backup" = ["false"] "type" = ["aes256-gcm96", "rsa-4096"] "convergent_encryption" = [] "derived" = [] } } # List keys path "/transit/keys" { capabilities = ["list"] } # Rotate Key path “/transit/keys/foo/rotate" { capabilities = ["create"] }
Transit Consumers Copyright © 2018 HashiCorp ⁄⁄ !20 ## Consumers # Encrypt information path "/transit/encrypt/keyname" { capabilities = ["create"] } # Decrypt information path "/transit/decrypt/keyname" { capabilities = ["create"] } # Rewrap information path "/transit/rewrap/keyname" { capabilities = ["create"] }
Copyright © 2018 HashiCorp ⁄ Day N: Keep it running !21
Storage Key rotation Copyright © 2018 HashiCorp ⁄⁄ !22 $ vault operator rotate Key Term 3 Install Time 01 May 17 10:30 UTC
Master Key rotation Copyright © 2018 HashiCorp ⁄⁄ !23
DR Promotion Copyright © 2018 HashiCorp ⁄⁄ !24
Copyright © 2018 HashiCorp ⁄ Vault Adoption !25
The Whitepaper Copyright © 2018 HashiCorp ⁄⁄ !26 Two years of best practice in Vault deployment Reviewed by Engineering, Solutions Engineering, and Enterprise Architecture Available today on the HashiCorp website
www.hashicorp.com hello@hashicorp.com Thank you

Recommended

Introduction to Vault
Introduction to VaultIntroduction to Vault
Introduction to VaultKnoldus Inc.
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault pptShrey Agarwal
 
Credential store using HashiCorp Vault
Credential store using HashiCorp VaultCredential store using HashiCorp Vault
Credential store using HashiCorp VaultMayank Patel
 
Keeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp VaultKeeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp VaultMitchell Pronschinske
 
Hashicorp Vault Open Source vs Enterprise
Hashicorp Vault Open Source vs EnterpriseHashicorp Vault Open Source vs Enterprise
Hashicorp Vault Open Source vs EnterpriseStenio Ferreira
 
Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultAWS Germany
 
Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key ManagementAnthony Ikeda
 
Vault
VaultVault
VaultJean-Philippe Bélanger
 

Recommended

Introduction to Vault
Introduction to VaultIntroduction to Vault
Introduction to VaultKnoldus Inc.
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault pptShrey Agarwal
 
Credential store using HashiCorp Vault
Credential store using HashiCorp VaultCredential store using HashiCorp Vault
Credential store using HashiCorp VaultMayank Patel
 
Keeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp VaultKeeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp VaultMitchell Pronschinske
 
Hashicorp Vault Open Source vs Enterprise
Hashicorp Vault Open Source vs EnterpriseHashicorp Vault Open Source vs Enterprise
Hashicorp Vault Open Source vs EnterpriseStenio Ferreira
 
Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultAWS Germany
 
Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key ManagementAnthony Ikeda
 
Vault
VaultVault
VaultJean-Philippe Bélanger
 
Introducing Vault
Introducing VaultIntroducing Vault
Introducing VaultRamit Surana
 
HashiCorp's Vault - The Examples
HashiCorp's Vault - The ExamplesHashiCorp's Vault - The Examples
HashiCorp's Vault - The ExamplesMichał Czeraszkiewicz
 
Vault
VaultVault
Vaultdawnlua
 
Vault 101
Vault 101Vault 101
Vault 101Hazzim Anaya
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018HashiCorp
 
Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18Kangaroot
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsDerek Downey
 
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault Outlyer
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security OverviewSreenivas Makam
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...
HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...
HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...Andrey Devyatkin
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architectureYuechuan (Mike) Chen
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultJeff Horwitz
 
How to Lock Down Apache Kafka and Keep Your Streams Safe
How to Lock Down Apache Kafka and Keep Your Streams SafeHow to Lock Down Apache Kafka and Keep Your Streams Safe
How to Lock Down Apache Kafka and Keep Your Streams Safeconfluent
 
Hashicorp Vault - OPEN Public Sector
Hashicorp Vault - OPEN Public SectorHashicorp Vault - OPEN Public Sector
Hashicorp Vault - OPEN Public SectorKangaroot
 
Kafka Tutorial: Kafka Security
Kafka Tutorial: Kafka SecurityKafka Tutorial: Kafka Security
Kafka Tutorial: Kafka SecurityJean-Paul Azar
 
Big Data Redis Mongodb Dynamodb Sharding
Big Data Redis Mongodb Dynamodb ShardingBig Data Redis Mongodb Dynamodb Sharding
Big Data Redis Mongodb Dynamodb ShardingAraf Karsh Hamid
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101Narudom Roongsiriwong, CISSP
 
RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images
RootedCON 2017 - Docker might not be your friend. Trojanizing Docker imagesRootedCON 2017 - Docker might not be your friend. Trojanizing Docker images
RootedCON 2017 - Docker might not be your friend. Trojanizing Docker imagesDaniel Garcia (a.k.a cr0hn)
 
Kafka Security
Kafka SecurityKafka Security
Kafka SecurityDataWorks Summit/Hadoop Summit
 
Vault Open Source vs Enterprise v2
Vault Open Source vs Enterprise v2Vault Open Source vs Enterprise v2
Vault Open Source vs Enterprise v2Stenio Ferreira
 
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...Amanda MacLeod
 

More Related Content

What's hot

Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018HashiCorp
 
Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18Kangaroot
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsDerek Downey
 
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault Outlyer
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security OverviewSreenivas Makam
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...
HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...
HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...Andrey Devyatkin
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architectureYuechuan (Mike) Chen
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultJeff Horwitz
 
How to Lock Down Apache Kafka and Keep Your Streams Safe
How to Lock Down Apache Kafka and Keep Your Streams SafeHow to Lock Down Apache Kafka and Keep Your Streams Safe
How to Lock Down Apache Kafka and Keep Your Streams Safeconfluent
 
Hashicorp Vault - OPEN Public Sector
Hashicorp Vault - OPEN Public SectorHashicorp Vault - OPEN Public Sector
Hashicorp Vault - OPEN Public SectorKangaroot
 
Kafka Tutorial: Kafka Security
Kafka Tutorial: Kafka SecurityKafka Tutorial: Kafka Security
Kafka Tutorial: Kafka SecurityJean-Paul Azar
 
Big Data Redis Mongodb Dynamodb Sharding
Big Data Redis Mongodb Dynamodb ShardingBig Data Redis Mongodb Dynamodb Sharding
Big Data Redis Mongodb Dynamodb ShardingAraf Karsh Hamid
 
RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images
RootedCON 2017 - Docker might not be your friend. Trojanizing Docker imagesRootedCON 2017 - Docker might not be your friend. Trojanizing Docker images
RootedCON 2017 - Docker might not be your friend. Trojanizing Docker imagesDaniel Garcia (a.k.a cr0hn)
 

What's hot (20)

Introducing Vault
Introducing VaultIntroducing Vault
Introducing Vault
 
HashiCorp's Vault - The Examples
HashiCorp's Vault - The ExamplesHashiCorp's Vault - The Examples
HashiCorp's Vault - The Examples
 
Vault
VaultVault
Vault
 
Vault 101
Vault 101Vault 101
Vault 101
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
 
Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL Secrets
 
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security Overview
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
 
HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...
HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...
HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architecture
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
 
How to Lock Down Apache Kafka and Keep Your Streams Safe
How to Lock Down Apache Kafka and Keep Your Streams SafeHow to Lock Down Apache Kafka and Keep Your Streams Safe
How to Lock Down Apache Kafka and Keep Your Streams Safe
 
Hashicorp Vault - OPEN Public Sector
Hashicorp Vault - OPEN Public SectorHashicorp Vault - OPEN Public Sector
Hashicorp Vault - OPEN Public Sector
 
Kafka Tutorial: Kafka Security
Kafka Tutorial: Kafka SecurityKafka Tutorial: Kafka Security
Kafka Tutorial: Kafka Security
 
Big Data Redis Mongodb Dynamodb Sharding
Big Data Redis Mongodb Dynamodb ShardingBig Data Redis Mongodb Dynamodb Sharding
Big Data Redis Mongodb Dynamodb Sharding
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
 
RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images
RootedCON 2017 - Docker might not be your friend. Trojanizing Docker imagesRootedCON 2017 - Docker might not be your friend. Trojanizing Docker images
RootedCON 2017 - Docker might not be your friend. Trojanizing Docker images
 
Kafka Security
Kafka SecurityKafka Security
Kafka Security
 

Similar to Adopting HashiCorp Vault

Vault Open Source vs Enterprise v2
Vault Open Source vs Enterprise v2Vault Open Source vs Enterprise v2
Vault Open Source vs Enterprise v2Stenio Ferreira
 
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...Amanda MacLeod
 
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...Amanda MacLeod
 
Provision to Production with Terraform Enterprise
Provision to Production with Terraform EnterpriseProvision to Production with Terraform Enterprise
Provision to Production with Terraform EnterpriseAmanda MacLeod
 
Hashicorp Corporate Pitch Deck Stenio_v2
Hashicorp Corporate Pitch Deck Stenio_v2 Hashicorp Corporate Pitch Deck Stenio_v2
Hashicorp Corporate Pitch Deck Stenio_v2 Stenio Ferreira
 
Oracle Modern AppDev Approach to Cloud & Container Native App
Oracle Modern AppDev Approach to Cloud & Container Native AppOracle Modern AppDev Approach to Cloud & Container Native App
Oracle Modern AppDev Approach to Cloud & Container Native AppPaulo Alberto Simoes ∴
 
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...Stenio Ferreira
 
Injecting Vault Secrets Into Kubernetes Pods via a Sidecar
Injecting Vault Secrets Into Kubernetes Pods via a SidecarInjecting Vault Secrets Into Kubernetes Pods via a Sidecar
Injecting Vault Secrets Into Kubernetes Pods via a SidecarMitchell Pronschinske
 
Dynamic Database Credentials with HashiCorp Vault
Dynamic Database Credentials with HashiCorp VaultDynamic Database Credentials with HashiCorp Vault
Dynamic Database Credentials with HashiCorp VaultKatie Reese
 
Overpowered Kubernetes: CI/CD for K8s on Enterprise IaaS
Overpowered Kubernetes: CI/CD for K8s on Enterprise IaaSOverpowered Kubernetes: CI/CD for K8s on Enterprise IaaS
Overpowered Kubernetes: CI/CD for K8s on Enterprise IaaSJ On The Beach
 
Orchestrating stateful applications with PKS and Portworx
Orchestrating stateful applications with PKS and PortworxOrchestrating stateful applications with PKS and Portworx
Orchestrating stateful applications with PKS and PortworxVMware Tanzu
 
Orchestrating Stateful Applications with PKS and Portworx
Orchestrating Stateful Applications with PKS and PortworxOrchestrating Stateful Applications with PKS and Portworx
Orchestrating Stateful Applications with PKS and PortworxCarlos Andrés García
 
Federico Cabiddu - VoIP2DAY 2016 | VoIP and RTC Troubleshooting using the Sip...
Federico Cabiddu - VoIP2DAY 2016 | VoIP and RTC Troubleshooting using the Sip...Federico Cabiddu - VoIP2DAY 2016 | VoIP and RTC Troubleshooting using the Sip...
Federico Cabiddu - VoIP2DAY 2016 | VoIP and RTC Troubleshooting using the Sip...VOIP2DAY
 
Building a fence around your Hadoop cluster
Building a fence around your Hadoop clusterBuilding a fence around your Hadoop cluster
Building a fence around your Hadoop clusterlarsfrancke
 
DevSecOps Meetup - Secure your Containers (kubernetes, docker, amazon ECS)Con...
DevSecOps Meetup - Secure your Containers (kubernetes, docker, amazon ECS)Con...DevSecOps Meetup - Secure your Containers (kubernetes, docker, amazon ECS)Con...
DevSecOps Meetup - Secure your Containers (kubernetes, docker, amazon ECS)Con...raksac
 
Persistent Storage with Kubernetes in Production
Persistent Storage with Kubernetes in ProductionPersistent Storage with Kubernetes in Production
Persistent Storage with Kubernetes in ProductionCheryl Hung
 
Persistent Storage with Kubernetes in Production
Persistent Storage with Kubernetes in ProductionPersistent Storage with Kubernetes in Production
Persistent Storage with Kubernetes in ProductionCheryl Hung
 
blockchain workshop - blockchain and oabcs - solutions
blockchain workshop - blockchain and oabcs - solutionsblockchain workshop - blockchain and oabcs - solutions
blockchain workshop - blockchain and oabcs - solutionsJuarez Junior
 
Delivering Secret Zero: Vault AppRole with Terraform and Chef
Delivering Secret Zero: Vault AppRole with Terraform and ChefDelivering Secret Zero: Vault AppRole with Terraform and Chef
Delivering Secret Zero: Vault AppRole with Terraform and ChefAmanda MacLeod
 
Lacework Kubernetes Meetup | August 28, 2018
Lacework Kubernetes Meetup | August 28, 2018Lacework Kubernetes Meetup | August 28, 2018
Lacework Kubernetes Meetup | August 28, 2018Lacework
 

Similar to Adopting HashiCorp Vault (20)

Vault Open Source vs Enterprise v2
Vault Open Source vs Enterprise v2Vault Open Source vs Enterprise v2
Vault Open Source vs Enterprise v2
 
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...
 
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...
 
Provision to Production with Terraform Enterprise
Provision to Production with Terraform EnterpriseProvision to Production with Terraform Enterprise
Provision to Production with Terraform Enterprise
 
Hashicorp Corporate Pitch Deck Stenio_v2
Hashicorp Corporate Pitch Deck Stenio_v2 Hashicorp Corporate Pitch Deck Stenio_v2
Hashicorp Corporate Pitch Deck Stenio_v2
 
Oracle Modern AppDev Approach to Cloud & Container Native App
Oracle Modern AppDev Approach to Cloud & Container Native AppOracle Modern AppDev Approach to Cloud & Container Native App
Oracle Modern AppDev Approach to Cloud & Container Native App
 
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...
 
Injecting Vault Secrets Into Kubernetes Pods via a Sidecar
Injecting Vault Secrets Into Kubernetes Pods via a SidecarInjecting Vault Secrets Into Kubernetes Pods via a Sidecar
Injecting Vault Secrets Into Kubernetes Pods via a Sidecar
 
Dynamic Database Credentials with HashiCorp Vault
Dynamic Database Credentials with HashiCorp VaultDynamic Database Credentials with HashiCorp Vault
Dynamic Database Credentials with HashiCorp Vault
 
Overpowered Kubernetes: CI/CD for K8s on Enterprise IaaS
Overpowered Kubernetes: CI/CD for K8s on Enterprise IaaSOverpowered Kubernetes: CI/CD for K8s on Enterprise IaaS
Overpowered Kubernetes: CI/CD for K8s on Enterprise IaaS
 
Orchestrating stateful applications with PKS and Portworx
Orchestrating stateful applications with PKS and PortworxOrchestrating stateful applications with PKS and Portworx
Orchestrating stateful applications with PKS and Portworx
 
Orchestrating Stateful Applications with PKS and Portworx
Orchestrating Stateful Applications with PKS and PortworxOrchestrating Stateful Applications with PKS and Portworx
Orchestrating Stateful Applications with PKS and Portworx
 
Federico Cabiddu - VoIP2DAY 2016 | VoIP and RTC Troubleshooting using the Sip...
Federico Cabiddu - VoIP2DAY 2016 | VoIP and RTC Troubleshooting using the Sip...Federico Cabiddu - VoIP2DAY 2016 | VoIP and RTC Troubleshooting using the Sip...
Federico Cabiddu - VoIP2DAY 2016 | VoIP and RTC Troubleshooting using the Sip...
 
Building a fence around your Hadoop cluster
Building a fence around your Hadoop clusterBuilding a fence around your Hadoop cluster
Building a fence around your Hadoop cluster
 
DevSecOps Meetup - Secure your Containers (kubernetes, docker, amazon ECS)Con...
DevSecOps Meetup - Secure your Containers (kubernetes, docker, amazon ECS)Con...DevSecOps Meetup - Secure your Containers (kubernetes, docker, amazon ECS)Con...
DevSecOps Meetup - Secure your Containers (kubernetes, docker, amazon ECS)Con...
 
Persistent Storage with Kubernetes in Production
Persistent Storage with Kubernetes in ProductionPersistent Storage with Kubernetes in Production
Persistent Storage with Kubernetes in Production
 
Persistent Storage with Kubernetes in Production
Persistent Storage with Kubernetes in ProductionPersistent Storage with Kubernetes in Production
Persistent Storage with Kubernetes in Production
 
blockchain workshop - blockchain and oabcs - solutions
blockchain workshop - blockchain and oabcs - solutionsblockchain workshop - blockchain and oabcs - solutions
blockchain workshop - blockchain and oabcs - solutions
 
Delivering Secret Zero: Vault AppRole with Terraform and Chef
Delivering Secret Zero: Vault AppRole with Terraform and ChefDelivering Secret Zero: Vault AppRole with Terraform and Chef
Delivering Secret Zero: Vault AppRole with Terraform and Chef
 
Lacework Kubernetes Meetup | August 28, 2018
Lacework Kubernetes Meetup | August 28, 2018Lacework Kubernetes Meetup | August 28, 2018
Lacework Kubernetes Meetup | August 28, 2018
 

Recently uploaded

Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfStefano Stabellini
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtimeandrehoraa
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...OnePlan Solutions
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...Technogeeks
 
How to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdfHow to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdfLivetecs LLC
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odishasmiwainfosol
 
Buds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in NoidaBuds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in Noidabntitsolutionsrishis
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Matt Ray
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesŁukasz Chruściel
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Hr365.us smith
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesPhilip Schwarz
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfFerryKemperman
 
What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....kzayra69
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmSujith Sukumaran
 

Recently uploaded (20)

Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdf
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtime
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...
 
How to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdfHow to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdf
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
 
Buds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in NoidaBuds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in Noida
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 
2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New Features
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a series
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdf
 
What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalm
 

Adopting HashiCorp Vault

  • 1. Copyright © 2018 HashiCorp Adopting HashiCorp Vault Deployment, adoption and beyond. Version: 1119.18
  • 2. Nicolas Corrarello Regional Director, Solutions Engineering Whoami Copyright © 2018 HashiCorp ⁄⁄ Vault open source contributor 2+ years in HashiCorp Can’t honestly remember when I started using HashiCorp tools !2 Helped operationalise a number of large deployments ncorrare nicolas@hashicorp.com
  • 3. Large scale Vault deployments Centralised capability, consumed by many groups What are we talking about? Copyright © 2018 HashiCorp ⁄⁄ 1 2 !3 No wire-boarding required Local and multi-geo scaling solutions 3 Fully supported and up to best practice 4 No friction 5 Vault as a capability, not a tool Masking a problem vs addressing it 6 Pragmatic vs. Dogmatic Sanely running open source vs letting HashiCorp solve the problem for you 7 Properly document and HashiCorp sanctioned Yay! Documentation!
  • 4. Copyright © 2018 HashiCorp ⁄ Day 0: Vault what?? !4
  • 5. secret /ˈsiːkrɪt/ Copyright © 2018 HashiCorp ⁄ !5 adjective
 not known or seen or not meant to be known or seen by others."how did you guess I'd got a secret plan?" synonyms: 1.confidential, strictly confidential, top secret, classified, restricted, unrevealed, undisclosed, unpublished, untold, unk nown, uncommunicated, behind someone's back, under wraps, unofficial, off the record, not for publication/circulation, not to be made public, not to be disclosed; More noun
 something that is kept or meant to be kept unknown or unseen by others."a state secret" synonyms: 1.confidential matter, confidence, private affair, skeleton in the cupboard, ”he just can't keep a secret” origin late Middle English: from Old French, from Latin secretus (adjective) ‘separate, set apart’, from the verb secernere, from se- ‘apart’ + cernere ‘sift’.
 
 
 
 / DAY ZERO
  • 6. Keeping secrets Copyright © 2018 HashiCorp ⁄ !6 API Audit Static Secrets Dynamic Secrets EaaS LDAP / AD GitHub Okta MFA / Radius AWS / Azure / GCP Kubernetes TLS JWT AppRole Identity “What kind of secret can I access?” “To do what?” Policy & Governance “Under what conditions?” MySQL / PostgreSQL Oracle / MSSQL / SAP Hana Cassandra / MongoDB Cloud (AWS / GCP / Azure) SSH / AD PKI Encrypt / Decrypt Sign / Verify HMAC / Hash Entropy / DAY ZERO
  • 7. Vault Cryptographic Model So what encrypts what now? Copyright © 2018 HashiCorp ⁄ !7/ DAY ZERO Transport - TLS 1.2 or higher Storage - AES 256 B A R R I E R Storage Key Master Key Seal
  • 8. Single Site HA Deployment Copyright © 2018 HashiCorp ⁄⁄ USE CASE: INFRASTRUCTURE AS CODE !8
  • 9. Multi-Site HA Deployment Copyright © 2018 HashiCorp ⁄⁄ USE CASE: INFRASTRUCTURE AS CODE !9
  • 10. Copyright © 2018 HashiCorp ⁄ Day One: Let’s get it running !10
  • 11. Immutable is preferred More secure, less prone to having someone SSH into the system and poke memory Installing Vault Copyright © 2018 HashiCorp ⁄⁄ 1 2 !11 Configuration management helps Roles / modules / cookbooks available in your nearest registry 3 SELinux is not just for disabling 4 Vault is released quarterly, with minor releases monthly 5 Consul can help with Load Balancing Patterns available in our deployment guide 6 Telemetry & Audit Bring your ELK 7 Backup / Restore
  • 12. Individual node failure In case of an individual node failure, or up to two node failures, the solution will continue to run without operator intervention.Recovery Scenarios Copyright © 2018 HashiCorp ⁄⁄ 1 2 !12 Cluster Failure If the Vault cluster fails, it can be reprovisioned using the same Storage Backend configuration. 3 Consul node failure In case of an individual node failure, or up to two node failures, the solution will continue to run without operator intervention. 4 Consul quorum loss If the Consul cluster were to lose quorum, there are alternatives to regain service availability, although the recommended approach from an RTO/RPO perspective is to fail over to a DR Cluster or promote a Performance Replica. 5 Seal key failure If the Seal Key was to be deleted or unavailable, the only supported scenario is failing over to a DR Cluster or Performance Replica. 6
  • 14. Operator The team or individuals charged with keeping Vault running. Traditionally the team that either works with Cloud account provisioning, SREs or Infrastructure team. Organisational roles Who does who? Copyright © 2018 HashiCorp ⁄⁄ USE CASE: INFRASTRUCTURE AS CODE 1 Consumer Anyone that needs a secret! 2 Infosec / Crypto Key handling, rotation. Review architecture and policies. 3 Audit Review logs and metrics 4 !14
  • 15. Copyright © 2018 HashiCorp ⁄ Day Two: Operationalise and consume !15
  • 16. Namespaces Copyright © 2018 HashiCorp ⁄⁄ !16 Not always the preferred choice Organisational maturity has weigh ins 1 2 Most friction-less approach From Vault silos to centralised capability
  • 17. Secure introduction What do you trust? Copyright © 2018 HashiCorp ⁄⁄ USE CASE: INFRASTRUCTURE AS CODE !17 AUTHENTICATE IDENTITY Against Trusted Identity Providers Authentication Identity-Based Access/Backends Client Secrets Secrets Management/Backends
  • 18. API Direct call to Vault Consuming secrets Copyright © 2018 HashiCorp ⁄⁄ USE CASE: INFRASTRUCTURE AS CODE 1 Templating Rendering secrets on configuration files 2 Environment Variables3 3rd Party Pass Through Use response wrapping! 4 !18
  • 19. Transit Key Officers Copyright © 2018 HashiCorp ⁄⁄ !19 ## Crypto officers # Create key material, non deletable, non exportable in unencrypted fashion, only aes-256 or rsa-4096 path "/transit/keys" { capabilities = ["create", "update"] allowed_parameters = { "allow_plaintext_backup" = ["false"] "type" = ["aes256-gcm96", "rsa-4096"] "convergent_encryption" = [] "derived" = [] } } # List keys path "/transit/keys" { capabilities = ["list"] } # Rotate Key path “/transit/keys/foo/rotate" { capabilities = ["create"] }
  • 20. Transit Consumers Copyright © 2018 HashiCorp ⁄⁄ !20 ## Consumers # Encrypt information path "/transit/encrypt/keyname" { capabilities = ["create"] } # Decrypt information path "/transit/decrypt/keyname" { capabilities = ["create"] } # Rewrap information path "/transit/rewrap/keyname" { capabilities = ["create"] }
  • 21. Copyright © 2018 HashiCorp ⁄ Day N: Keep it running !21
  • 22. Storage Key rotation Copyright © 2018 HashiCorp ⁄⁄ !22 $ vault operator rotate Key Term 3 Install Time 01 May 17 10:30 UTC
  • 23. Master Key rotation Copyright © 2018 HashiCorp ⁄⁄ !23
  • 24. DR Promotion Copyright © 2018 HashiCorp ⁄⁄ !24
  • 25. Copyright © 2018 HashiCorp ⁄ Vault Adoption !25
  • 26. The Whitepaper Copyright © 2018 HashiCorp ⁄⁄ !26 Two years of best practice in Vault deployment Reviewed by Engineering, Solutions Engineering, and Enterprise Architecture Available today on the HashiCorp website