3. Who am I
• Taswar Bhatti – Microsoft MVP since 2014
• Global Solutions Architect/System Architect at Gemalto
• In Software Industry since 2000
• I know Kung Fu (Languages)
13. Agenda
• Intro
• What are we trying to solve with KeyVault?
• What is Azure Key Vault
• Using Azure Key Vault with your application
• Managed Service Identity
• Demo
• HashiCorp Vault
• Best practices
• Questions
14. So what are secrets?
• Secrets grants you AuthN or AuthZ to a system
• Examples
• Username & Passwords
• Database credentials
• API Token
• TLS Certs
18. Secret Sprawl
• Secrets ends up in
• Source Code
• Version Control Systems (Github, Gitlab, Bitbucket etc)
• Configuration Management (Chef, Puppet, Ansible etc)
20. Problems
• Configuration becomes part of deployment
• Multiple applications share the same configuration
• Hard to have access control over the configuration
21. Issues
• How do we know who has access to those secrets
• When was the last time they accessed it?
• What if we want to change/rotate the secrets
22. Desire secrets
• Encryption in rest and transit
• Only decrypted in memory
• Access control
• Rotation & Revocation
23. What is Azure Key Vault?
• Secrets Management - Azure Key Vault can be used to Securely store and
tightly control access to tokens, passwords, certificates, API keys, and other
secrets.
• Key Management - Azure Key Vault can also be used as a Key Management
solution. Azure Key Vault makes it easy to create and control the
encryption keys used to encrypt your data.
• Certificate Management - Azure Key Vault is also a service that lets you
easily provision, manage, and deploy public and private Secure Sockets
Layer/Transport Layer Security (SSL/TLS) certificates for use with Azure and
your internal connected resources.
• Store secrets backed by Hardware Security Modules - The secrets and keys
can be protected either by software or FIPS 140-2 Level 2 validates HSMs.
31. Azure Key Vault
• Register your app with Active Directory
• Associated credential, and using that credential to get a token
• Retrieve your secrets from Key Vault
• PROBLEM SOLVED
32. Adding it back to web.config
• <add key="ClientId" value="clientid" />
• <add key="ClientSecret" value="clientsecret" />
• <!-- SecretUri is the URI for the secret in Azure Key Vault -->
• <add key="SecretUri" value="secreturi" />
33. Code that looks like this
ClientCredential clientCred = new ClientCredential(
WebConfigurationManager.AppSettings["ClientId"],
WebConfigurationManager.AppSettings["ClientSecret"]);
36. Managed Service Identity (MSI)
• MSI gives your code an automatically managed identity for
authenticating to Azure services, so that you can keep credentials out
of your code
• You create an identity for your application in Azure Active Directory
using Managed Service Identity
37. Benefits
• No need to authenticate to Azure Key Vault to get secrets
• No client id and client secret is needed in the code
• Easier to configure comparing to Azure Key Vault
• You can authenticate to any service that supports Azure AD
authentication
44. Unseal
• Unseal Key 1: QZdnKsOyGXaWoB2viLBBWLlIpU+tQrQy49D+Mq24/V0B
• Unseal Key 2: 1pxViFucRZDJ+kpXAeefepdmLwU6QpsFZwseOIPqaPAC
• Unseal Key 3: bw+yIvxrXR5k8VoLqS5NGW4bjuZym2usm/PvCAaMh8UD
• Unseal Key 4: o40xl6lcQo8+DgTQ0QJxkw0BgS5n6XHNtWOgBbt7LKYE
• Unseal Key 5: Gh7WPQ6rWgGTBRSMecuj8PR8IM0vMIFkSZtRNT4dw5MF
• Initial Root Token: 5b781ff4-eee8-d6a1-ea42-88428a7e8815
• Vault initialized with 5 keys and a key threshold of 3. Please
• securely distribute the above keys. When the Vault is re-sealed,
• restarted, or stopped, you must provide at least 3 of these keys
• to unseal it again.
• Vault does not store the master key. Without at least 3 keys,
• your Vault will remain permanently sealed.
45. How to unseal
• vault unseal -address=${VAULT_ADDR}
QZdnKsOyGXaWoB2viLBBWLlIpU+tQrQy49D+Mq24/V0B
• vault unseal -address=${VAULT_ADDR}
bw+yIvxrXR5k8VoLqS5NGW4bjuZym2usm/PvCAaMh8UD
• vault unseal -address=${VAULT_ADDR}
Gh7WPQ6rWgGTBRSMecuj8PR8IM0vMIFkSZtRNT4dw5MF
46. Writing Secrets
• vault write -address=${VAULT_ADDR} secret/hello value=world
• vault read -address=${VAULT_ADDR} secret/hello
• Key Value
• --- -----
• refresh_interval 768h0m0s
• Value world
47. Policy on secrets
• We can assign application roles to the policy
path "secret/web/*" {
policy = "read"
}
• vault policy write -address=${VAULT_ADDR}
web-policy ${DIR}/web-policy.hcl
48. Reading secrets based on policy
• vault read -address=${VAULT_ADDR} secret/web/web-apps
• vault read -address=${VAULT_ADDR} secret/hello
• Error reading secret/hello: Error making API request.
• URL: GET http://127.0.0.1:8200/v1/secret/hello
• Code: 403. Errors:
• * permission denied
49. Docker and Secrets
• Docker does not have good integration with secrets
• If you use env variables, it will show in docker inspect
51. Mount Temp File System into App
• docker run –v /hostsecerts:/secerts ….
• To mitigate reading from Env
• Store your wrap token in the filesystem to use with vault
• Have limit time on wrap token
52. Wrap Token for App Secrets
• Limit time token
• Used to unwrap some secrets
• vault read -wrap-ttl=60s -address=http://127.0.0.1:8200
secret/weatherapp/config
• Key Value
• --- -----
• wrapping_token: 35093b2a-60d4-224d-5f16-b802c82de1e7
• wrapping_token_ttl: 1m0s
• wrapping_token_creation_time: 2017-09-06 09:29:03.4892595 +0000 UTC
• wrapping_token_creation_path: secret/weatherapp/config
53. Kubernetes with Vault
• Read Service Account JWT
• App Sends Jwt and Role Name to Vault
• Vault checks the signature of Jwt
• Sends to TokenReviewer API
• Vault sends back valid token for app
55. Best Practices or Patterns
• Cache Aside Encryption Key
• Tag version of encryption
56. Cache Aside Encryption Key
• Use Key Vault to Encrypt your Generated AES Key
• For all encryption of your data you can use the AES Key rather than
going back and Key Vault to encrypt
• Allows you to penny pinch KeyVault
57. Tag Version of Encryption Level
• Each Row of your database is tagged with the encryption version
• This allows you when you rotate keys or change encryption level for
example moving to a new Encryption Key to eventual encryption of
data that gets updated or new.
60. Advantages
• You do not have to go through all the records to re-encrypt them
• Eventual Encryption of all data to new encryption
• Mitigates the risk of all data or updating all records
US$12,770 users had an option to change their phone numbers while logging in, which would enable them to bypass entering a pin and instead use their email address. When PayMe was prompted to allow a phone number change, a link was then emailed to users, which opened a channel that would also allow a password change.