Successfully reported this slideshow.
Your SlideShare is downloading. ×

HashiCorp's Vault - The Examples

Jan. 26, 2017
9 likes 3,117 views
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Upcoming SlideShare
Vault - Secret and Key Management
Vault - Secret and Key Management
Loading in …3
×

Check these out next

Vault
dawnlua
Keeping a Secret with HashiCorp Vault
Mitchell Pronschinske
Introduction to Vault
Knoldus Inc.
Vault
Jean-Philippe Bélanger
Vault Open Source vs Enterprise v2
Stenio Ferreira
IPFS: The Permanent Web
Sivachandran Paramsivam
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Jeff Horwitz
Docker swarm
Alberto Guimarães Viana
1 of 42 Ad

HashiCorp's Vault - The Examples

Jan. 26, 2017
9 likes 3,117 views

Download to read offline

Technology

Get an overview of HashiCorp's Vault concepts.
Learn how to start a Vault server.

Learn how to use the Vault's postgresql backend.
See an overview of the Vault's SSH backend integration.

This presentation was held on the DigitalOcean Meetup in Berlin. Find more details here: https://www.meetup.com/DigitalOceanBerlin/events/237123195/

Get an overview of HashiCorp's Vault concepts.
Learn how to start a Vault server.

Learn how to use the Vault's postgresql backend.
See an overview of the Vault's SSH backend integration.

This presentation was held on the DigitalOcean Meetup in Berlin. Find more details here: https://www.meetup.com/DigitalOceanBerlin/events/237123195/

Technology
Advertisement

Recommended

Vault - Secret and Key Management
Anthony Ikeda
3.6k views
31 slides
Introducing Vault
Ramit Surana
1.2k views
34 slides
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Outlyer
2k views
22 slides
Hashicorp Vault ppt
Shrey Agarwal
4.1k views
11 slides
Using Vault to decouple MySQL Secrets
Derek Downey
1.9k views
70 slides
Vault 101
Hazzim Anaya
465 views
39 slides
Secret Management with Hashicorp’s Vault
AWS Germany
2.3k views
100 slides
Hashicorp Vault: Open Source Secrets Management at #OPEN18
Kangaroot
2.4k views
26 slides
Advertisement

More Related Content

Slideshows for you (20)

Vault
dawnlua
616 views
Keeping a Secret with HashiCorp Vault
Mitchell Pronschinske
1.3k views
Introduction to Vault
Knoldus Inc.
417 views
Vault
Jean-Philippe Bélanger
376 views
Vault Open Source vs Enterprise v2
Stenio Ferreira
1.5k views
IPFS: The Permanent Web
Sivachandran Paramsivam
3.2k views
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Jeff Horwitz
6.2k views
Docker swarm
Alberto Guimarães Viana
3.1k views
HashiCorp Vault Workshop:幫 Credentials 找個窩
smalltown
2.3k views
Scale Kubernetes to support 50000 services
LinuxCon ContainerCon CloudOpen China
6.4k views
Managing secrets at scale
Alex Schoof
6.1k views
Cilium + Istio with Gloo Mesh
Christian Posta
453 views
HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...
Andrey Devyatkin
709 views
A Case Study in Attacking KeePass
Will Schroeder
9.6k views
Designing High Availability for HashiCorp Vault in AWS
☁ Bryan Krausen
900 views
Helm intro
Haggai Philip Zagury
2.6k views
Improving HDFS Availability with Hadoop RPC Quality of Service
Ming Ma
3.9k views
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region
Ji-Woong Choi
5.8k views
Docker Security Overview
Sreenivas Makam
12.8k views
Container Security
Salman Baset
439 views
Vault
dawnlua
616 views
30 slides
Keeping a Secret with HashiCorp Vault
Mitchell Pronschinske
1.3k views
26 slides
Introduction to Vault
Knoldus Inc.
417 views
12 slides
Vault
Jean-Philippe Bélanger
376 views
21 slides
Vault Open Source vs Enterprise v2
Stenio Ferreira
1.5k views
19 slides
IPFS: The Permanent Web
Sivachandran Paramsivam
3.2k views
19 slides

Similar to HashiCorp's Vault - The Examples (20)

Running Docker in Development & Production (#ndcoslo 2015)
Ben Hall
12.5k views
Null Bachaav - May 07 Attack Monitoring workshop.
Prajal Kulkarni
5.7k views
Continuous Delivery: The Next Frontier
Carlos Sanchez
1.6k views
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
Alessandro Arrichiello
2.2k views
Kafka security ssl
Heng-Xiu Xu
129 views
파이썬 개발환경 구성하기의 끝판왕 - Docker Compose
raccoony
10.7k views
X64服务器 lnmp服务器部署标准 new
Yiwei Ma
1.5k views
Docker Security workshop slides
Docker, Inc.
5.2k views
PHP London Dec 2013 - Varnish - The 9 circles of hell
luis-ferro
7.3k views
Keep it simple web development stack
Eric Ahn
913 views
AWS Study Group - Chapter 03 - Elasticity and Scalability Concepts [Solution ...
QCloudMentor
133 views
Start tracking your ruby infrastructure
Sergiy Kukunin
94 views
Into The Box 2018 Going live with commandbox and docker
Ortus Solutions, Corp
440 views
Going live with BommandBox and docker Into The Box 2018
Ortus Solutions, Corp
121 views
Django로 만든 웹 애플리케이션 도커라이징하기 + 도커 컴포즈로 개발 환경 구축하기
raccoony
3.9k views
Salesforce at Stacki Atlanta Meetup February 2016
StackIQ
928 views
Continuous Delivery with Maven, Puppet and Tomcat - ApacheCon NA 2013
Carlos Sanchez
16.9k views
How To Securely Set Up Shipyard 2.0.10 with TLS on CoreOS
VEXXHOST Private Cloud
88 views
Install elasticsearch, logstash and kibana
Chanaka Lasantha
30 views
Postgres the hardway
Dave Pitts
265 views
Running Docker in Development & Production (#ndcoslo 2015)
Ben Hall
12.5k views
91 slides
Null Bachaav - May 07 Attack Monitoring workshop.
Prajal Kulkarni
5.7k views
102 slides
Continuous Delivery: The Next Frontier
Carlos Sanchez
1.6k views
57 slides
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
Alessandro Arrichiello
2.2k views
37 slides
Kafka security ssl
Heng-Xiu Xu
129 views
25 slides
파이썬 개발환경 구성하기의 끝판왕 - Docker Compose
raccoony
10.7k views
80 slides
Advertisement

Recently uploaded (20)

TM Forum Open APIs: Enabling A Zero Intergration API economy.pdf
JuanLungA
3 views
OS ASSIGNMENT.pptx
SrishtiManchanda5
0 views
GDG Cloud Southlake #20:Stefano Doni: Kubernetes performance tuning dilemma: ...
James Anderson
25 views
Medical Oxygen Plant.pdf
MedicalOxygenPlant
2 views
PTZOptics - 2023 Presentation.pdf
Paul Richards
7 views
Brain_Computer_Interface_A_presentation.pptx
SaquibFarooq
0 views
Research Presentation.pptx
TinaRivera12
0 views
When Management Asks You: “Do You Accept Agile as Your Lord and Savior?"
admford
24 views
Q4.pdf
Diego Armando Guzmán
30 views
ppt.pptx
Revati Devrat
9 views
BA and data visualization.pdf
ssuser6aa125
3 views
Comparison Chat of PTFE By Rohit Damodaran
Rohit Damodaran
3 views
Pruebas Holísticas - Claudia Badell en Under Test
Claudia Badell
0 views
CNE Microproject Report.pdf
Nehaam3
0 views
Introduction to Knowledge Graphs for Information Architects.pdf
Heather Hedden
0 views
Augmented Reality for Learning and Accessibility
Shalin Hai-Jew
4 views
Operation Technology.docx
MuhammadKhalil502533
4 views
Bionic Eyes are Perfected Technology.docx
MuhammadKhalil502533
4 views
Digital.docx
MuhammadKhalil502533
0 views
PTZOptics Audio Visual Schematics and Live Streaming System Designs
Paul Richards
6 views
TM Forum Open APIs: Enabling A Zero Intergration API economy.pdf
JuanLungA
3 views
30 slides
OS ASSIGNMENT.pptx
SrishtiManchanda5
0 views
31 slides
GDG Cloud Southlake #20:Stefano Doni: Kubernetes performance tuning dilemma: ...
James Anderson
25 views
31 slides
Medical Oxygen Plant.pdf
MedicalOxygenPlant
2 views
4 slides
PTZOptics - 2023 Presentation.pdf
Paul Richards
7 views
52 slides
Brain_Computer_Interface_A_presentation.pptx
SaquibFarooq
0 views
20 slides

HashiCorp's Vault - The Examples

  1. 1. HashiCorp's Vault The Examples
  2. 2. Introduction
  3. 3. Basics Concepts
  4. 4. Vault is a "simple" HTTP service
  5. 5. How to make secrets secure? ● encryption ● renewing ● revoking
  6. 6. How to make secrets secure? ● encryption ● renewing ● revoking
  7. 7. How to make secrets secure? ● encryption ● renewing ● revoking
  8. 8. How to make secrets secure? ● encryption ● renewing ● revoking
  9. 9. How to make secrets secure? ● encryption ● renewing ● revoking
  10. 10. "Install" Vault
  11. 11. Do you know PGP? keybase.io?
  12. 12. Download Vault ./scripts/download
  13. 13. Download Vault # Download the 64bit binary curl -Os "https://releases.hashicorp.com/vault/${vault_version}/vault_${vault_version}_linux_amd64.zip" # Download checksums and signature curl -Os "https://releases.hashicorp.com/vault/${vault_version}/vault_${vault_version}_SHA256SUMS" curl -Os "https://releases.hashicorp.com/vault/${vault_version}/vault_${vault_version}_SHA256SUMS.sig" # Import the hashicorp public key curl "https://keybase.io/hashicorp/pgp_keys.asc" | gpg --import Sample link: https://releases.hashicorp.com/vault/0.6.4/
  14. 14. Download Vault # Verify the signature file is untampered. $ gpg2 --options $project_directory/.gnupg/gpg.conf --verify "vault_${vault_version}_SHA256SUMS.sig" "vault_${vault_version}_SHA256SUMS" # Verify the SHASUM matches the binary $ cat "vault_${vault_version}_SHA256SUMS" | grep "vault_${vault_version}_linux_amd64.zip" | shasum -a 256 -c -
  15. 15. Download Vault # Install Vault $ unzip "vault_${vault_version}_linux_amd64.zip"
  16. 16. Download Vault $ ./scripts/vault version Vault v0.6.4 ('f4adc7fa960ed8e828f94bc6785bcdbae8d1b263')
  17. 17. Add Vault to $PATH $ export PATH=$PATH:$PWD/scripts
  18. 18. Boot Vault
  19. 19. Vault in development
  20. 20. Vault development configuration $ cat configuration/development.hcl backend "file" { path = "data" } listener "tcp" { address = "127.0.0.1:8200" tls_disable = 1 } default_lease_ttl = "1h" max_lease_ttl = "2h" disable_mlock = true
  21. 21. Start Vault Server $ vault server -config=$PWD/configuration/development.hcl
  22. 22. Initialize Vault $ vault init -key-shares=1 -key-threshold=1
  23. 23. Unseal Vault Server $ vault unseal 4e02850adda5af588e290592d11d323fa1ce...
  24. 24. Vault in production
  25. 25. PostgreSQL Backend
  26. 26. Docker Compose Configuration $ cat .env.db POSTGRES_USER=vault POSTGRES_PASSWORD=vault POSTGRES_DB=vault
  27. 27. Docker Compose Configuration $ cat docker-compose.yml --- version: '2' services: db: image: "postgres:9.5.4" hostname: db env_file: - .env.db ports: - "9191:5432"
  28. 28. Start PostgreSQL $ docker-compose ps Name Command State Ports ---------------------------------------------------------------------------- vault_db_1 /docker-entrypoint.sh postgres Up 0.0.0.0:9191->5432/tcp $ docker-compose up -d
  29. 29. Mount the PostgreSQL backend $ vault mount -path=postgresql-test -default-lease-ttl=30m -max-lease-ttl=12h Postgresql Successfully mounted 'postgresql' at 'postgresql-test'!
  30. 30. Verify the PostgreSQL backend $ vault mounts | head -n1 && vault mounts | grep postgresql Path Type Default TTL Max TTL Description postgresql-test/ postgresql 1800 43200
  31. 31. Establish connection between PostgreSQL and Vault $ source .env.db $ vault write postgresql-test/config/connection connection_url="postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@0.0.0.0:9191 /${POSTGRES_DB}?sslmode=disable"
  32. 32. Tell Vault how to create PostgreSQL users SQL query in readable format CREATE ROLE "{{name}}" WITH LOGIN PASSWORD "{{password}}" VALID UNTIL "{{expiration}}"; GRANT SELECT ON ALL TABLES IN SCHEMA public TO "{{name}}";
  33. 33. Tell Vault how to create PostgreSQL users $ vault write postgresql-test/roles/readonly sql="CREATE ROLE "{{name}}" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO "{{name}}";" Success! Data written to: postgresql-test/roles/readonly
  34. 34. Generate user with password $ vault read -format=json postgresql-test/creds/readonly | tee postgresql-user-credentials.json | jq .
  35. 35. { "request_id": "b02b0a7f-9ea1-34f0-59fb-b25015114f5c", "lease_id": "postgresql-test/creds/readonly/40ff9937-8e6b-41c4-26c4-67e5c2be3024", "lease_duration": 3600, "renewable": true, "data": { "password": "130a6869-9e1a-94aa-c4ce-88bd5d7cc93e", "username": "root-42e196da-4b70-47cd-cc72-01fd791cdd84" }, "warnings": null } user with password - result
  36. 36. Connect to PostgreSQL $ username=$(jq -r .data.username postgresql-user-credentials.json) $ password=$(jq -r .data.password postgresql-user-credentials.json)
  37. 37. $ docker run --rm -it --link=vault_db_1:db --net vault_default --env PGPASSWORD="${password}" --env username="${username}" --env POSTGRES_DB="${POSTGRES_DB}" postgres:9.5.4 bash > psql --host=db --username="${username}" "${POSTGRES_DB}" Connect to PostgreSQL
  38. 38. > SELECT datname AS database, usename AS user FROM pg_stat_activity WHERE state = 'active'; database | user ---------+------------------------------------------- vault | root-45fb7d50-c99f-dd78-f3c5-e20b9636a300 (1 row) user with password
  39. 39. SSH Backend
  40. 40. Overview

×