Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Hashicorp Vault ppt

Hashicorp Vault PPT for rootconf 2017
https://www.vaultproject.io/

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all
  • Be the first to comment

Hashicorp Vault ppt

  1. 1. Working With Secrets Evaluating HashiCorp Vault
  2. 2. Problem • Saving Publicly Accessible Secrets ( AWS S3 Keys, Encryption Key) • Generating Leased Credentials for AWS, DB • Easy Key Revocation • Secure Audit for Key generation and Access
  3. 3. Vault Architecture
  4. 4. (Un-)Sealing n/n : Safest 1/n : Easiest
  5. 5. Vault Initial Working [CLI] $ vault server -dev $ vault init -key-shares=1 -key-threshold=1 $ vault unseal 69b6b254c098496eee6c6eb5d6f3aa414f66327fabf123bd4f1018a3f133b8d6 $ vault auth 10f7b1c0-f7cf-b466-c7ca-d2be9c6a442b $ vault audit-enable file file_path=/var/log/vault/audit.log $ vault write secret/hello value=world $ vault read secret/hello $ vault seal $ vault write secret/hello value=world Error writing data to secret/hello: Error making API request. URL: PUT http://127.0.0.1:47876/v1/secret/hello Code: 503. Errors: * Vault is sealed $ vault read secret/hello Error reading secret/hello: Error making API request. URL: GET http://127.0.0.1:47876/v1/secret/hello Code: 503. Errors: * Vault is sealed
  6. 6. App and Vault • Always Sealed Approach • Always Keep Vault Unsealed, and seal it if threat is realised • Suggested by Vault • Always UnSealed Approach • App deployment/ reload • Reload Waits for unsealed vault state • Release Engineer ( automation ) unseals vault • Automated Re-Sealing via App/release script.
  7. 7. Secure Distribution of Keys • Most Vulnerable at Key Generation. • Encrypt Keys with openPGP standard • $vault init -key-shares=3 -key-threshold=2 -pgp- keys="keybase:a,keybase:b,keybase:c
  8. 8. Best Practices • Use Tokens for Authentication. Its the only inbuilt ACL • Use CubbyHole Storage Backend. Custom Backends are not pluggable yet • Safeguard Storage Backend • Use encrypted AWS EBS with AWS KMS
  9. 9. High Availability • Vault Support Cluster Setup. • High Availability Backend such as Consul or Mysql HA.
  10. 10. OutSide Vault Threat Model • Algo and Protocol Vulnerabilities : Shamir’s , HTTP(S) • 3rd Party Storage Backends do not contribute in Security • Instance, OS Vulnerabilities.
  11. 11. Thank you @agarwalshrey shrey.agarwal@paytm.com

×