Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Nodejsvault austin2019

214 views

Published on

Introduction of using Hashicorp Vault with your NodeJS Application. How to store your secrets when using a cloud application in nodejs. Meetup in Austin Texas May 2019 (https://www.meetup.com/austinnodejs/events/srwjzqyzhbtb/)

Published in: Software
  • Be the first to comment

  • Be the first to like this

Nodejsvault austin2019

  1. 1. Using vault for your NodeJS Secrets Taswar Bhatti – System/Solutions Architect Gemalto / Thales
  2. 2. Secrets •
  3. 3. About me • Taswar Bhatti (Microsoft MVP) • @taswarbhatti • http://taswar.zeytinsoft.com • Gemalto / Thales (System Solutions Architect) • I know Kung Fu Languages)
  4. 4. In Canada, Ottawa
  5. 5. What are secrets? • So what are secrets????
  6. 6. Craving of 3 am Tacos Secrets
  7. 7. So what are secrets? • Secrets grants you AuthN or AuthZ to a system • Examples • Username & Passwords • Database credentials • API Token • TLS Certs
  8. 8. Secrets allows you to enter
  9. 9. Today’s Secret Sprawl • Secrets ends up in • Source Code • Version Control Systems (Github, Gitlab, Bitbucket etc) • Configuration Management (Chef, Puppet, Ansible etc)
  10. 10. Issues • How do we know who has access to those secrets • When was the last time they accessed it? • What if we want to change/rotate the secrets
  11. 11. Desire secrets • Encryption in rest and transit • Only decrypted in memory • Access control • Rotation & Revocation
  12. 12. Secure Secrets • AES 256 with GCM encryption • TLS 1.2 for clients • No HSM is required
  13. 13. Secret Management - Vault • Centralized Secret Management • Encrypted at rest and transit • Lease and Renewal • ACL • Audit Trail • Multiple Client Auth Method (Ldap,Github, approle) • Dynamic Secrets • Encryption as a Service
  14. 14. Dynamic Secrets • Allows one to lease a secret for a period of time e.g 2 hrs • Generates on demand and unique for each user/consumption • Audit trail • E.g. database connection strings as dynamic secrets
  15. 15. Unsealing the Vault • Vault requires encryption keys to encrypt data • Shamir Secret Key Sharing • Master key is split into multiple keys
  16. 16. Shamir Secret Sharing
  17. 17. Unseal • Unseal Key 1: QZdnKsOyGXaWoB2viLBBWLlIpU+tQrQy49D+Mq24/V0B • Unseal Key 2: 1pxViFucRZDJ+kpXAeefepdmLwU6QpsFZwseOIPqaPAC • Unseal Key 3: bw+yIvxrXR5k8VoLqS5NGW4bjuZym2usm/PvCAaMh8UD • Unseal Key 4: o40xl6lcQo8+DgTQ0QJxkw0BgS5n6XHNtWOgBbt7LKYE • Unseal Key 5: Gh7WPQ6rWgGTBRSMecuj8PR8IM0vMIFkSZtRNT4dw5MF • Initial Root Token: 5b781ff4-eee8-d6a1-ea42-88428a7e8815 • Vault initialized with 5 keys and a key threshold of 3. Please • securely distribute the above keys. When the Vault is re-sealed, • restarted, or stopped, you must provide at least 3 of these keys • to unseal it again. • Vault does not store the master key. Without at least 3 keys, • your Vault will remain permanently sealed.
  18. 18. How to unseal • vault unseal -address=${VAULT_ADDR} QZdnKsOyGXaWoB2viLBBWLlIpU+tQrQy49D+Mq24/V0B • vault unseal -address=${VAULT_ADDR} bw+yIvxrXR5k8VoLqS5NGW4bjuZym2usm/PvCAaMh8UD • vault unseal -address=${VAULT_ADDR} Gh7WPQ6rWgGTBRSMecuj8PR8IM0vMIFkSZtRNT4dw5MF
  19. 19. Writing Secrets as Key Vaulue • vault kv put secret/hello value=world • vault kv get secret/hello • vault kv delete secret/hello
  20. 20. Policy on secrets • We can assign application roles to the policy path "secret/web/*" { policy = "read" } • vault policy write -address=${VAULT_ADDR} web-policy ${DIR}/web-policy.hcl
  21. 21. Reading secrets based on policy • vault read -address=${VAULT_ADDR} secret/web/web-apps • vault read -address=${VAULT_ADDR} secret/hello • Error reading secret/hello: Error making API request. • URL: GET http://127.0.0.1:8200/v1/secret/hello • Code: 403. Errors: • * permission denied
  22. 22. Docker Environment VAR • Issues with env variables • var apiKey = process.env.apiKey • sudo docker run -d -t -i -e APIKEY=‘1234' -e POSTGRES_ENV_POSTGRES_PASSWORD='foo'
  23. 23. Mount Temp File System into App • docker run –v /hostsecerts:/secerts …. • To mitigate reading from Env • Store your wrap token in the filesystem to use with vault • Have limit time on wrap token
  24. 24. Wrap Token for App Secrets • Limit time token • Used to unwrap some secrets • vault read -wrap-ttl=60s -address=http://127.0.0.1:8200 secret/weatherapp/config • Key Value • --- ----- • wrapping_token: 35093b2a-60d4-224d-5f16-b802c82de1e7 • wrapping_token_ttl: 1m0s • wrapping_token_creation_time: 2017-09-06 09:29:03.4892595 +0000 UTC • wrapping_token_creation_path: secret/weatherapp/config
  25. 25. App Roles • Allows machines or apps to authenticate with Vault • Using a role_id and secret_id as credentials • Assign polices to the app • Once logged in you get back a token to get secrets
  26. 26. Kubernetes with Vault • Read Service Account JWT • App Sends Jwt and Role Name to Vault • Vault checks the signature of Jwt • Sends to TokenReviewer API • Vault sends back valid token for app
  27. 27. Thankyou • Contact me (taswar@gmail.com) • @taswarbhatti

×