SlideShare a Scribd company logo
The BlackBox project
Safely storing secrets and credentials in Git
for use by Puppet
Tom Limoncelli, SRE, StackExchange.com
Blog: EverythingSysadmin.com
125+ Q&A Communities
ServerFault.com
StackOverflow.com
(We <3 Puppet!)
StackExchange.com
What are secrets?
Anything you don’t want exposed externally.
● SSL Certificates (the private bits)
● Passwords
● API keys
Puppet manages secrets
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use by Puppet: The BlackBox project (Intermediate) - Thomas A. Limoncelli, Stack Exchange
If you store
secrets in git,
you’re gonna
have a bad
time.
● Laptops get stolen.
● Workstations have guest accounts
● “Circle of Trust” now includes:
○ Everyone with admin access to workstations.
■ Your desktop support people?
○ Everyone with admin access to your git server:
■ Server team, storage team, backup team
○ Everyone you collaborate with that wants read-only
access to Puppet manifests.
You have 3 bad options:
1. Deny git access. (Hurts collaboration)
2. Permit git access. (Hurts security)
3. Email individual files. (Hurts… just hurts)
Option 4: Encrypt secret parts
● If a file contains secrets, encrypt before
checking into Git.
● Need to edit a secret?
○ Decrypt - Edit - Encrypt
What about Puppet master?
● After “git pull”, decrypt all files.
○ Automate this as part of CI.
● Files are unencrypted “at rest”.
● This does not decrease security:
○ No worse than what we were doing before.
○ If you can break into root or puppet on the master,
you’ve already won.
Easy, right?
Decrypt:
gpg -q --decrypt -o secret.crt secret.crt.gpg
Encrypt:
gpg --yes --trust-model=always --encrypt
-o secret.crt.gpg $(<keynames) secret.crt
Easy, right?
Decrypt:
gpg -q --decrypt -o secret.crt secret.crt.gpg
Encrypt:
gpg --yes --trust-model=always --encrypt
-o secret.crt.gpg $(<keynames) secret.crt
● ...and don’t make any typos when entering the command
● ...and don't accidentally check in the unencrypted version
Security is 1% technology plus 99% following
the procedures correctly.
Any process with more than 1 step probably
won't be followed consistently most of the time.
Related reading: "Why Johnny Can't Encrypt: A Usability Evaluation of PGP
5.0”, Alma Whitten", Usenix Security 1999
Therefore…. we automate
Introducing: Blackbox
Scripts for keeping Puppet secrets in git/hg.
User commands:
Decrypt for editing:
blackbox_edit_start.sh file
Encrypt when done:
blackbox_edit_end.sh file
First time a file is encrypted:
Enroll a file into the system:
blackbox_register_new_file.sh file
Commands that act on all GPG files:
Decrypt all files: (for use on puppet master)
blackbox_postdeploy.sh
Re-encrypt all files: (after new users added)
blackbox_update_all_files.sh
Everyone has their own key
This doesn’t use “symmetric encryption” where
there is one passphrase to decrypt/encrypt all
files.
We maintain a keyring of:
● Each person that should have access.
● A key for the Puppet master.
Indoctrinate a new user:
1. New user does this:
● Create GPG key.
● Add their username@host to blackbox-admins.
txt
● git commit -a
(Currently a doc, not a script. Patches gladly accepted.)
Indoctrinate a new user:
2. Existing admin does this:
$ gpg --import keyrings/live/pubring.gpg
$ blackbox_update_all_files.sh
$ git commit -a
Demo: Edit a file
Demo: Edit a file
Demo: Edit a file
Demo: Edit a file
Demo: Edit a file
Demo: Edit a file
Demo: Edit a file
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use by Puppet: The BlackBox project (Intermediate) - Thomas A. Limoncelli, Stack Exchange
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use by Puppet: The BlackBox project (Intermediate) - Thomas A. Limoncelli, Stack Exchange
Code is open source as of TODAY
● Entirely written in bash.
● MIT License.
● Download it now:
○ https://github.com/StackExchange/blackbox
In the project’s first 9 months:
StackExchange/ServerFault has eliminated
plaintext secrets in our Puppet git repo.
● 7 SREs+Devs sharing the repo securely.
● 50+ files now stored encrypted.
○ Mostly SSL certs and SSH private keys.
● 40+ individual passwords/API keys:
○ Everything from SNMP communities, SaaS API
keys, and many many passwords.
Future plans
❏ Open source scripts.
❏ More usability enhancements.
❏ Better setup documentation.
Join the open source project
http://github.com/StackExchange/blackbox
Q&A
URLs from this talk:
https://github.com/StackExchange/blackbox
EverythingSysadmin.com
Shameless plug
Pre-order now! Save 35%
Ships in September.
informit.com/TPOSA
Discount code TPOSA35
Read “rough cuts” today:
safaribooksonline.com
Q&A
URLs from this talk:
https://github.com/StackExchange/blackbox
EverythingSysadmin.com
informit.com/TPOSA (code TPOSA35)
● Easier transition. No Puppet code changes
for big files like SSL certs.
● Faster. Zero run-time performance impact
on master.
● eyaml didn’t exist when we started.
Why didn’t we use eyaml?
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use by Puppet: The BlackBox project (Intermediate) - Thomas A. Limoncelli, Stack Exchange

More Related Content

What's hot

Who’s afraid of WinDbg
Who’s afraid of WinDbgWho’s afraid of WinDbg
Who’s afraid of WinDbg
Dror Helper
 
Debugging NET Applications With WinDBG
Debugging  NET Applications With WinDBGDebugging  NET Applications With WinDBG
Debugging NET Applications With WinDBG
Cory Foy
 
We codeil save kermit
We codeil   save kermitWe codeil   save kermit
We codeil save kermit
Victor Trakhtenberg
 
How go makes us faster (May 2015)
How go makes us faster (May 2015)How go makes us faster (May 2015)
How go makes us faster (May 2015)
Wilfried Schobeiri
 
Open source applications softwares
Open source applications softwaresOpen source applications softwares
Open source applications softwares
Tushar B Kute
 
Useful Vim Plugins
Useful Vim PluginsUseful Vim Plugins
Useful Vim Plugins
anveo
 
ProjectTox: Free as in freedom Skype replacement
ProjectTox: Free as in freedom Skype replacementProjectTox: Free as in freedom Skype replacement
ProjectTox: Free as in freedom Skype replacement
Wei-Ning Huang
 
Around the PHP Community
Around the PHP CommunityAround the PHP Community
Around the PHP Community
Ben Ramsey
 
Symfony2 - A Short Introduction
Symfony2 - A Short IntroductionSymfony2 - A Short Introduction
Symfony2 - A Short Introduction
Andy Grunwald
 
Lessons learned from Node.js - Callbacks / Promises
Lessons learned from Node.js - Callbacks / PromisesLessons learned from Node.js - Callbacks / Promises
Lessons learned from Node.js - Callbacks / Promises
Jason K Yau
 
Web socket with php v2
Web socket with php v2Web socket with php v2
Web socket with php v2
Leonardo Rifeli
 
OWASP Bangalore : OWTF demo : 13 Dec 2014
OWASP Bangalore : OWTF demo : 13 Dec 2014OWASP Bangalore : OWTF demo : 13 Dec 2014
OWASP Bangalore : OWTF demo : 13 Dec 2014
Anant Shrivastava
 
Is rust language really safe?
Is rust language really safe? Is rust language really safe?
Is rust language really safe?
Nullbyte Security Conference
 
Profile all the things! - Capital Go 2017
 Profile all the things! - Capital Go 2017 Profile all the things! - Capital Go 2017
Profile all the things! - Capital Go 2017
John Potocny
 
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit FrameworkUnmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
egypt
 
Having fun with Raspberry and Apache projects
Having fun with Raspberry and Apache projectsHaving fun with Raspberry and Apache projects
Having fun with Raspberry and Apache projects
Jean-Frederic Clere
 
WeCode IL: Save Kermit
WeCode IL:  Save KermitWeCode IL:  Save Kermit
WeCode IL: Save Kermit
Victor Trakhtenberg
 
Dynomite Eureka Registry With Prana
Dynomite Eureka Registry With PranaDynomite Eureka Registry With Prana
Dynomite Eureka Registry With Prana
Diego Pacheco
 
Conhecendo o-composer-por-nandokstronet
Conhecendo o-composer-por-nandokstronetConhecendo o-composer-por-nandokstronet
Conhecendo o-composer-por-nandokstronet
Code Experts Learning
 
Who Should Use Powershell? You Should Use Powershell!
Who Should Use Powershell?  You Should Use Powershell!Who Should Use Powershell?  You Should Use Powershell!
Who Should Use Powershell? You Should Use Powershell!
Ben Finke
 

What's hot (20)

Who’s afraid of WinDbg
Who’s afraid of WinDbgWho’s afraid of WinDbg
Who’s afraid of WinDbg
 
Debugging NET Applications With WinDBG
Debugging  NET Applications With WinDBGDebugging  NET Applications With WinDBG
Debugging NET Applications With WinDBG
 
We codeil save kermit
We codeil   save kermitWe codeil   save kermit
We codeil save kermit
 
How go makes us faster (May 2015)
How go makes us faster (May 2015)How go makes us faster (May 2015)
How go makes us faster (May 2015)
 
Open source applications softwares
Open source applications softwaresOpen source applications softwares
Open source applications softwares
 
Useful Vim Plugins
Useful Vim PluginsUseful Vim Plugins
Useful Vim Plugins
 
ProjectTox: Free as in freedom Skype replacement
ProjectTox: Free as in freedom Skype replacementProjectTox: Free as in freedom Skype replacement
ProjectTox: Free as in freedom Skype replacement
 
Around the PHP Community
Around the PHP CommunityAround the PHP Community
Around the PHP Community
 
Symfony2 - A Short Introduction
Symfony2 - A Short IntroductionSymfony2 - A Short Introduction
Symfony2 - A Short Introduction
 
Lessons learned from Node.js - Callbacks / Promises
Lessons learned from Node.js - Callbacks / PromisesLessons learned from Node.js - Callbacks / Promises
Lessons learned from Node.js - Callbacks / Promises
 
Web socket with php v2
Web socket with php v2Web socket with php v2
Web socket with php v2
 
OWASP Bangalore : OWTF demo : 13 Dec 2014
OWASP Bangalore : OWTF demo : 13 Dec 2014OWASP Bangalore : OWTF demo : 13 Dec 2014
OWASP Bangalore : OWTF demo : 13 Dec 2014
 
Is rust language really safe?
Is rust language really safe? Is rust language really safe?
Is rust language really safe?
 
Profile all the things! - Capital Go 2017
 Profile all the things! - Capital Go 2017 Profile all the things! - Capital Go 2017
Profile all the things! - Capital Go 2017
 
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit FrameworkUnmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
 
Having fun with Raspberry and Apache projects
Having fun with Raspberry and Apache projectsHaving fun with Raspberry and Apache projects
Having fun with Raspberry and Apache projects
 
WeCode IL: Save Kermit
WeCode IL:  Save KermitWeCode IL:  Save Kermit
WeCode IL: Save Kermit
 
Dynomite Eureka Registry With Prana
Dynomite Eureka Registry With PranaDynomite Eureka Registry With Prana
Dynomite Eureka Registry With Prana
 
Conhecendo o-composer-por-nandokstronet
Conhecendo o-composer-por-nandokstronetConhecendo o-composer-por-nandokstronet
Conhecendo o-composer-por-nandokstronet
 
Who Should Use Powershell? You Should Use Powershell!
Who Should Use Powershell?  You Should Use Powershell!Who Should Use Powershell?  You Should Use Powershell!
Who Should Use Powershell? You Should Use Powershell!
 

Viewers also liked

"Black Box for a Car" report
"Black Box for a Car" report"Black Box for a Car" report
"Black Box for a Car" report
subrat manna
 
Black box
Black boxBlack box
Black box
Sajan Sahu
 
Black box of Aircraft
Black box of AircraftBlack box of Aircraft
Black box of Aircraft
Susmit Sircar
 
Black Box
Black BoxBlack Box
Black Box
Babi Mukherjee
 
Black box
Black boxBlack box
Black box
fadysid03
 
Puppet Camp Sydney 2015: Puppet and AWS is easy right.....?
Puppet Camp Sydney 2015: Puppet and AWS is easy right.....? Puppet Camp Sydney 2015: Puppet and AWS is easy right.....?
Puppet Camp Sydney 2015: Puppet and AWS is easy right.....?
Puppet
 
State of Puppet - Puppet Camp Barcelona 2013
State of Puppet - Puppet Camp Barcelona 2013State of Puppet - Puppet Camp Barcelona 2013
State of Puppet - Puppet Camp Barcelona 2013
Puppet
 
Puppet Camp San Francisco 2015: Puppet Adoption in a Mature Environment
Puppet Camp San Francisco 2015: Puppet Adoption in a Mature EnvironmentPuppet Camp San Francisco 2015: Puppet Adoption in a Mature Environment
Puppet Camp San Francisco 2015: Puppet Adoption in a Mature Environment
Puppet
 
Puppet camp LA and Phoenix 2015: Keynote
Puppet camp LA and Phoenix 2015: Keynote Puppet camp LA and Phoenix 2015: Keynote
Puppet camp LA and Phoenix 2015: Keynote
Puppet
 
Puppet Camp Phoenix 2015: Managing Files via Puppet: Let Me Count The Ways (B...
Puppet Camp Phoenix 2015: Managing Files via Puppet: Let Me Count The Ways (B...Puppet Camp Phoenix 2015: Managing Files via Puppet: Let Me Count The Ways (B...
Puppet Camp Phoenix 2015: Managing Files via Puppet: Let Me Count The Ways (B...
Puppet
 
Puppet Camp London 2014: Chasing AMI: baking Amazon machine images with Jenki...
Puppet Camp London 2014: Chasing AMI: baking Amazon machine images with Jenki...Puppet Camp London 2014: Chasing AMI: baking Amazon machine images with Jenki...
Puppet Camp London 2014: Chasing AMI: baking Amazon machine images with Jenki...
Puppet
 
Keynote Puppet Camp San Francisco 2010
Keynote Puppet Camp San Francisco 2010Keynote Puppet Camp San Francisco 2010
Keynote Puppet Camp San Francisco 2010
Puppet
 
Web vulnerability scanner getting start
Web vulnerability scanner getting startWeb vulnerability scanner getting start
Web vulnerability scanner getting start
_U2_
 
Puppet Camp Berlin 2014: Advanced Puppet Design
Puppet Camp Berlin 2014: Advanced Puppet DesignPuppet Camp Berlin 2014: Advanced Puppet Design
Puppet Camp Berlin 2014: Advanced Puppet Design
Puppet
 
Blackbox-тестирование веб-приложений
Blackbox-тестирование веб-приложенийBlackbox-тестирование веб-приложений
Blackbox-тестирование веб-приложений
beched
 
Black Box for Machine Tools; Based on Open CNC Architecture Control Systems
Black Box for Machine Tools; Based on Open CNC Architecture Control SystemsBlack Box for Machine Tools; Based on Open CNC Architecture Control Systems
Black Box for Machine Tools; Based on Open CNC Architecture Control Systems
IDES Editor
 
LATEST EMBEDDED PROJECTS TITLES-COCKPIT WHITE BOX AUTOMATION(ECE/EEE/E&I)
LATEST EMBEDDED PROJECTS TITLES-COCKPIT WHITE BOX AUTOMATION(ECE/EEE/E&I)LATEST EMBEDDED PROJECTS TITLES-COCKPIT WHITE BOX AUTOMATION(ECE/EEE/E&I)
LATEST EMBEDDED PROJECTS TITLES-COCKPIT WHITE BOX AUTOMATION(ECE/EEE/E&I)
ASHOKKUMAR RAMAR
 
Packet sniffers
Packet sniffersPacket sniffers
Packet sniffers
Wanwen Wen
 
ECE PROJECTS ABSTRACT-COCKPIT WHITE BOX AUTOMATION SYSTEMS-AVIONICS/EMBEDDED
ECE PROJECTS ABSTRACT-COCKPIT WHITE BOX AUTOMATION SYSTEMS-AVIONICS/EMBEDDEDECE PROJECTS ABSTRACT-COCKPIT WHITE BOX AUTOMATION SYSTEMS-AVIONICS/EMBEDDED
ECE PROJECTS ABSTRACT-COCKPIT WHITE BOX AUTOMATION SYSTEMS-AVIONICS/EMBEDDED
ASHOKKUMAR RAMAR
 
Automated testing web application
Automated testing web applicationAutomated testing web application
Automated testing web application
Kiattikhun Prathumma
 

Viewers also liked (20)

"Black Box for a Car" report
"Black Box for a Car" report"Black Box for a Car" report
"Black Box for a Car" report
 
Black box
Black boxBlack box
Black box
 
Black box of Aircraft
Black box of AircraftBlack box of Aircraft
Black box of Aircraft
 
Black Box
Black BoxBlack Box
Black Box
 
Black box
Black boxBlack box
Black box
 
Puppet Camp Sydney 2015: Puppet and AWS is easy right.....?
Puppet Camp Sydney 2015: Puppet and AWS is easy right.....? Puppet Camp Sydney 2015: Puppet and AWS is easy right.....?
Puppet Camp Sydney 2015: Puppet and AWS is easy right.....?
 
State of Puppet - Puppet Camp Barcelona 2013
State of Puppet - Puppet Camp Barcelona 2013State of Puppet - Puppet Camp Barcelona 2013
State of Puppet - Puppet Camp Barcelona 2013
 
Puppet Camp San Francisco 2015: Puppet Adoption in a Mature Environment
Puppet Camp San Francisco 2015: Puppet Adoption in a Mature EnvironmentPuppet Camp San Francisco 2015: Puppet Adoption in a Mature Environment
Puppet Camp San Francisco 2015: Puppet Adoption in a Mature Environment
 
Puppet camp LA and Phoenix 2015: Keynote
Puppet camp LA and Phoenix 2015: Keynote Puppet camp LA and Phoenix 2015: Keynote
Puppet camp LA and Phoenix 2015: Keynote
 
Puppet Camp Phoenix 2015: Managing Files via Puppet: Let Me Count The Ways (B...
Puppet Camp Phoenix 2015: Managing Files via Puppet: Let Me Count The Ways (B...Puppet Camp Phoenix 2015: Managing Files via Puppet: Let Me Count The Ways (B...
Puppet Camp Phoenix 2015: Managing Files via Puppet: Let Me Count The Ways (B...
 
Puppet Camp London 2014: Chasing AMI: baking Amazon machine images with Jenki...
Puppet Camp London 2014: Chasing AMI: baking Amazon machine images with Jenki...Puppet Camp London 2014: Chasing AMI: baking Amazon machine images with Jenki...
Puppet Camp London 2014: Chasing AMI: baking Amazon machine images with Jenki...
 
Keynote Puppet Camp San Francisco 2010
Keynote Puppet Camp San Francisco 2010Keynote Puppet Camp San Francisco 2010
Keynote Puppet Camp San Francisco 2010
 
Web vulnerability scanner getting start
Web vulnerability scanner getting startWeb vulnerability scanner getting start
Web vulnerability scanner getting start
 
Puppet Camp Berlin 2014: Advanced Puppet Design
Puppet Camp Berlin 2014: Advanced Puppet DesignPuppet Camp Berlin 2014: Advanced Puppet Design
Puppet Camp Berlin 2014: Advanced Puppet Design
 
Blackbox-тестирование веб-приложений
Blackbox-тестирование веб-приложенийBlackbox-тестирование веб-приложений
Blackbox-тестирование веб-приложений
 
Black Box for Machine Tools; Based on Open CNC Architecture Control Systems
Black Box for Machine Tools; Based on Open CNC Architecture Control SystemsBlack Box for Machine Tools; Based on Open CNC Architecture Control Systems
Black Box for Machine Tools; Based on Open CNC Architecture Control Systems
 
LATEST EMBEDDED PROJECTS TITLES-COCKPIT WHITE BOX AUTOMATION(ECE/EEE/E&I)
LATEST EMBEDDED PROJECTS TITLES-COCKPIT WHITE BOX AUTOMATION(ECE/EEE/E&I)LATEST EMBEDDED PROJECTS TITLES-COCKPIT WHITE BOX AUTOMATION(ECE/EEE/E&I)
LATEST EMBEDDED PROJECTS TITLES-COCKPIT WHITE BOX AUTOMATION(ECE/EEE/E&I)
 
Packet sniffers
Packet sniffersPacket sniffers
Packet sniffers
 
ECE PROJECTS ABSTRACT-COCKPIT WHITE BOX AUTOMATION SYSTEMS-AVIONICS/EMBEDDED
ECE PROJECTS ABSTRACT-COCKPIT WHITE BOX AUTOMATION SYSTEMS-AVIONICS/EMBEDDEDECE PROJECTS ABSTRACT-COCKPIT WHITE BOX AUTOMATION SYSTEMS-AVIONICS/EMBEDDED
ECE PROJECTS ABSTRACT-COCKPIT WHITE BOX AUTOMATION SYSTEMS-AVIONICS/EMBEDDED
 
Automated testing web application
Automated testing web applicationAutomated testing web application
Automated testing web application
 

Similar to Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use by Puppet: The BlackBox project (Intermediate) - Thomas A. Limoncelli, Stack Exchange

Developing with the Go client for Apache Kafka
Developing with the Go client for Apache KafkaDeveloping with the Go client for Apache Kafka
Developing with the Go client for Apache Kafka
Joe Stein
 
The Listening: Email Client Backdoor
The Listening: Email Client BackdoorThe Listening: Email Client Backdoor
The Listening: Email Client Backdoor
Michael Scovetta
 
Helpful pre commit hooks for Python and Django
Helpful pre commit hooks for Python and DjangoHelpful pre commit hooks for Python and Django
Helpful pre commit hooks for Python and Django
roskakori
 
Webinar: End to End Security & Operations with Chainguard and Weave GitOps
Webinar: End to End Security & Operations with Chainguard and Weave GitOpsWebinar: End to End Security & Operations with Chainguard and Weave GitOps
Webinar: End to End Security & Operations with Chainguard and Weave GitOps
Weaveworks
 
Linux Security and How Web Browser Sandboxes Really Work (NDC Oslo 2017)
Linux Security  and How Web Browser Sandboxes Really Work (NDC Oslo 2017)Linux Security  and How Web Browser Sandboxes Really Work (NDC Oslo 2017)
Linux Security and How Web Browser Sandboxes Really Work (NDC Oslo 2017)
Patricia Aas
 
Everything you didn't know you needed
Everything you didn't know you neededEverything you didn't know you needed
Everything you didn't know you needed
Henry Schreiner
 
Us 17-krug-hacking-severless-runtimes
Us 17-krug-hacking-severless-runtimesUs 17-krug-hacking-severless-runtimes
Us 17-krug-hacking-severless-runtimes
Ravishankar Somasundaram
 
HKG18-203 - Overview of Linaro DRM
HKG18-203 - Overview of Linaro DRMHKG18-203 - Overview of Linaro DRM
HKG18-203 - Overview of Linaro DRM
Linaro
 
Basics of GnuPG (gpg) command in linux
Basics of GnuPG (gpg) command in linuxBasics of GnuPG (gpg) command in linux
Basics of GnuPG (gpg) command in linux
Sanjeev Kumar Jaiswal
 
OSDC 2016 - Continous Integration in Data Centers - Further 3 Years later by ...
OSDC 2016 - Continous Integration in Data Centers - Further 3 Years later by ...OSDC 2016 - Continous Integration in Data Centers - Further 3 Years later by ...
OSDC 2016 - Continous Integration in Data Centers - Further 3 Years later by ...
NETWAYS
 
My "Perfect" Toolchain Setup for Grails Projects
My "Perfect" Toolchain Setup for Grails ProjectsMy "Perfect" Toolchain Setup for Grails Projects
My "Perfect" Toolchain Setup for Grails Projects
GR8Conf
 
Introduction to Exploitation
Introduction to ExploitationIntroduction to Exploitation
Introduction to Exploitation
UTD Computer Security Group
 
Linux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium SandboxLinux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium Sandbox
Patricia Aas
 
Git ongithub
Git ongithubGit ongithub
Git ongithub
Almeda Asuncion
 
Pentester++
Pentester++Pentester++
Pentester++
CTruncer
 
First adventure within a shell - Andrea Telatin at Quadram Institute
First adventure within a shell - Andrea Telatin at Quadram InstituteFirst adventure within a shell - Andrea Telatin at Quadram Institute
First adventure within a shell - Andrea Telatin at Quadram Institute
Andrea Telatin
 
Berlinsides2017
Berlinsides2017Berlinsides2017
Berlinsides2017
aestetix
 
Defense in Depth: Securing your new Kubernetes cluster from the challenges th...
Defense in Depth: Securing your new Kubernetes cluster from the challenges th...Defense in Depth: Securing your new Kubernetes cluster from the challenges th...
Defense in Depth: Securing your new Kubernetes cluster from the challenges th...
CloudOps2005
 
12 tricks to avoid hackers breaks your CI / CD
12 tricks to avoid hackers breaks your  CI / CD12 tricks to avoid hackers breaks your  CI / CD
12 tricks to avoid hackers breaks your CI / CD
Daniel Garcia (a.k.a cr0hn)
 
Chromium Sandbox on Linux (BlackHoodie 2018)
Chromium Sandbox on Linux (BlackHoodie 2018)Chromium Sandbox on Linux (BlackHoodie 2018)
Chromium Sandbox on Linux (BlackHoodie 2018)
Patricia Aas
 

Similar to Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use by Puppet: The BlackBox project (Intermediate) - Thomas A. Limoncelli, Stack Exchange (20)

Developing with the Go client for Apache Kafka
Developing with the Go client for Apache KafkaDeveloping with the Go client for Apache Kafka
Developing with the Go client for Apache Kafka
 
The Listening: Email Client Backdoor
The Listening: Email Client BackdoorThe Listening: Email Client Backdoor
The Listening: Email Client Backdoor
 
Helpful pre commit hooks for Python and Django
Helpful pre commit hooks for Python and DjangoHelpful pre commit hooks for Python and Django
Helpful pre commit hooks for Python and Django
 
Webinar: End to End Security & Operations with Chainguard and Weave GitOps
Webinar: End to End Security & Operations with Chainguard and Weave GitOpsWebinar: End to End Security & Operations with Chainguard and Weave GitOps
Webinar: End to End Security & Operations with Chainguard and Weave GitOps
 
Linux Security and How Web Browser Sandboxes Really Work (NDC Oslo 2017)
Linux Security  and How Web Browser Sandboxes Really Work (NDC Oslo 2017)Linux Security  and How Web Browser Sandboxes Really Work (NDC Oslo 2017)
Linux Security and How Web Browser Sandboxes Really Work (NDC Oslo 2017)
 
Everything you didn't know you needed
Everything you didn't know you neededEverything you didn't know you needed
Everything you didn't know you needed
 
Us 17-krug-hacking-severless-runtimes
Us 17-krug-hacking-severless-runtimesUs 17-krug-hacking-severless-runtimes
Us 17-krug-hacking-severless-runtimes
 
HKG18-203 - Overview of Linaro DRM
HKG18-203 - Overview of Linaro DRMHKG18-203 - Overview of Linaro DRM
HKG18-203 - Overview of Linaro DRM
 
Basics of GnuPG (gpg) command in linux
Basics of GnuPG (gpg) command in linuxBasics of GnuPG (gpg) command in linux
Basics of GnuPG (gpg) command in linux
 
OSDC 2016 - Continous Integration in Data Centers - Further 3 Years later by ...
OSDC 2016 - Continous Integration in Data Centers - Further 3 Years later by ...OSDC 2016 - Continous Integration in Data Centers - Further 3 Years later by ...
OSDC 2016 - Continous Integration in Data Centers - Further 3 Years later by ...
 
My "Perfect" Toolchain Setup for Grails Projects
My "Perfect" Toolchain Setup for Grails ProjectsMy "Perfect" Toolchain Setup for Grails Projects
My "Perfect" Toolchain Setup for Grails Projects
 
Introduction to Exploitation
Introduction to ExploitationIntroduction to Exploitation
Introduction to Exploitation
 
Linux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium SandboxLinux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium Sandbox
 
Git ongithub
Git ongithubGit ongithub
Git ongithub
 
Pentester++
Pentester++Pentester++
Pentester++
 
First adventure within a shell - Andrea Telatin at Quadram Institute
First adventure within a shell - Andrea Telatin at Quadram InstituteFirst adventure within a shell - Andrea Telatin at Quadram Institute
First adventure within a shell - Andrea Telatin at Quadram Institute
 
Berlinsides2017
Berlinsides2017Berlinsides2017
Berlinsides2017
 
Defense in Depth: Securing your new Kubernetes cluster from the challenges th...
Defense in Depth: Securing your new Kubernetes cluster from the challenges th...Defense in Depth: Securing your new Kubernetes cluster from the challenges th...
Defense in Depth: Securing your new Kubernetes cluster from the challenges th...
 
12 tricks to avoid hackers breaks your CI / CD
12 tricks to avoid hackers breaks your  CI / CD12 tricks to avoid hackers breaks your  CI / CD
12 tricks to avoid hackers breaks your CI / CD
 
Chromium Sandbox on Linux (BlackHoodie 2018)
Chromium Sandbox on Linux (BlackHoodie 2018)Chromium Sandbox on Linux (BlackHoodie 2018)
Chromium Sandbox on Linux (BlackHoodie 2018)
 

More from Puppet

Puppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepoPuppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepo
Puppet
 
Puppetcamp r10kyaml
Puppetcamp r10kyamlPuppetcamp r10kyaml
Puppetcamp r10kyaml
Puppet
 
2021 04-15 operational verification (with notes)
2021 04-15 operational verification (with notes)2021 04-15 operational verification (with notes)
2021 04-15 operational verification (with notes)
Puppet
 
Puppet camp vscode
Puppet camp vscodePuppet camp vscode
Puppet camp vscode
Puppet
 
Modules of the twenties
Modules of the twentiesModules of the twenties
Modules of the twenties
Puppet
 
Applying Roles and Profiles method to compliance code
Applying Roles and Profiles method to compliance codeApplying Roles and Profiles method to compliance code
Applying Roles and Profiles method to compliance code
Puppet
 
KGI compliance as-code approach
KGI compliance as-code approachKGI compliance as-code approach
KGI compliance as-code approach
Puppet
 
Enforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automationEnforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automation
Puppet
 
Keynote: Puppet camp compliance
Keynote: Puppet camp complianceKeynote: Puppet camp compliance
Keynote: Puppet camp compliance
Puppet
 
Automating it management with Puppet + ServiceNow
Automating it management with Puppet + ServiceNowAutomating it management with Puppet + ServiceNow
Automating it management with Puppet + ServiceNow
Puppet
 
Puppet: The best way to harden Windows
Puppet: The best way to harden WindowsPuppet: The best way to harden Windows
Puppet: The best way to harden Windows
Puppet
 
Simplified Patch Management with Puppet - Oct. 2020
Simplified Patch Management with Puppet - Oct. 2020Simplified Patch Management with Puppet - Oct. 2020
Simplified Patch Management with Puppet - Oct. 2020
Puppet
 
Accelerating azure adoption with puppet
Accelerating azure adoption with puppetAccelerating azure adoption with puppet
Accelerating azure adoption with puppet
Puppet
 
Puppet catalog Diff; Raphael Pinson
Puppet catalog Diff; Raphael PinsonPuppet catalog Diff; Raphael Pinson
Puppet catalog Diff; Raphael Pinson
Puppet
 
ServiceNow and Puppet- better together, Kevin Reeuwijk
ServiceNow and Puppet- better together, Kevin ReeuwijkServiceNow and Puppet- better together, Kevin Reeuwijk
ServiceNow and Puppet- better together, Kevin Reeuwijk
Puppet
 
Take control of your dev ops dumping ground
Take control of your  dev ops dumping groundTake control of your  dev ops dumping ground
Take control of your dev ops dumping ground
Puppet
 
100% Puppet Cloud Deployment of Legacy Software
100% Puppet Cloud Deployment of Legacy Software100% Puppet Cloud Deployment of Legacy Software
100% Puppet Cloud Deployment of Legacy Software
Puppet
 
Puppet User Group
Puppet User GroupPuppet User Group
Puppet User Group
Puppet
 
Continuous Compliance and DevSecOps
Continuous Compliance and DevSecOpsContinuous Compliance and DevSecOps
Continuous Compliance and DevSecOps
Puppet
 
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick MaludyThe Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
Puppet
 

More from Puppet (20)

Puppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepoPuppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepo
 
Puppetcamp r10kyaml
Puppetcamp r10kyamlPuppetcamp r10kyaml
Puppetcamp r10kyaml
 
2021 04-15 operational verification (with notes)
2021 04-15 operational verification (with notes)2021 04-15 operational verification (with notes)
2021 04-15 operational verification (with notes)
 
Puppet camp vscode
Puppet camp vscodePuppet camp vscode
Puppet camp vscode
 
Modules of the twenties
Modules of the twentiesModules of the twenties
Modules of the twenties
 
Applying Roles and Profiles method to compliance code
Applying Roles and Profiles method to compliance codeApplying Roles and Profiles method to compliance code
Applying Roles and Profiles method to compliance code
 
KGI compliance as-code approach
KGI compliance as-code approachKGI compliance as-code approach
KGI compliance as-code approach
 
Enforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automationEnforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automation
 
Keynote: Puppet camp compliance
Keynote: Puppet camp complianceKeynote: Puppet camp compliance
Keynote: Puppet camp compliance
 
Automating it management with Puppet + ServiceNow
Automating it management with Puppet + ServiceNowAutomating it management with Puppet + ServiceNow
Automating it management with Puppet + ServiceNow
 
Puppet: The best way to harden Windows
Puppet: The best way to harden WindowsPuppet: The best way to harden Windows
Puppet: The best way to harden Windows
 
Simplified Patch Management with Puppet - Oct. 2020
Simplified Patch Management with Puppet - Oct. 2020Simplified Patch Management with Puppet - Oct. 2020
Simplified Patch Management with Puppet - Oct. 2020
 
Accelerating azure adoption with puppet
Accelerating azure adoption with puppetAccelerating azure adoption with puppet
Accelerating azure adoption with puppet
 
Puppet catalog Diff; Raphael Pinson
Puppet catalog Diff; Raphael PinsonPuppet catalog Diff; Raphael Pinson
Puppet catalog Diff; Raphael Pinson
 
ServiceNow and Puppet- better together, Kevin Reeuwijk
ServiceNow and Puppet- better together, Kevin ReeuwijkServiceNow and Puppet- better together, Kevin Reeuwijk
ServiceNow and Puppet- better together, Kevin Reeuwijk
 
Take control of your dev ops dumping ground
Take control of your  dev ops dumping groundTake control of your  dev ops dumping ground
Take control of your dev ops dumping ground
 
100% Puppet Cloud Deployment of Legacy Software
100% Puppet Cloud Deployment of Legacy Software100% Puppet Cloud Deployment of Legacy Software
100% Puppet Cloud Deployment of Legacy Software
 
Puppet User Group
Puppet User GroupPuppet User Group
Puppet User Group
 
Continuous Compliance and DevSecOps
Continuous Compliance and DevSecOpsContinuous Compliance and DevSecOps
Continuous Compliance and DevSecOps
 
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick MaludyThe Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
 

Recently uploaded

WhatsApp Spy Online Trackers and Monitoring Apps
WhatsApp Spy Online Trackers and Monitoring AppsWhatsApp Spy Online Trackers and Monitoring Apps
WhatsApp Spy Online Trackers and Monitoring Apps
HackersList
 
Best Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdfBest Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdf
Tatiana Al-Chueyr
 
The Role of IoT in Australian Mobile App Development - PDF Guide
The Role of IoT in Australian Mobile App Development - PDF GuideThe Role of IoT in Australian Mobile App Development - PDF Guide
The Role of IoT in Australian Mobile App Development - PDF Guide
Shiv Technolabs
 
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Muhammad Ali
 
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdfBT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
Neo4j
 
Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024
aakash malhotra
 
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
Edge AI and Vision Alliance
 
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
aslasdfmkhan4750
 
Salesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot WorkshopSalesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot Workshop
CEPTES Software Inc
 
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdfAcumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
BrainSell Technologies
 
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptxRPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
SynapseIndia
 
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
sunilverma7884
 
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptxDublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Kunal Gupta
 
Data Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining DataData Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining Data
Safe Software
 
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
maigasapphire
 
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
alexjohnson7307
 
Using LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and MilvusUsing LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and Milvus
Zilliz
 
The importance of Quality Assurance for ICT Standardization
The importance of Quality Assurance for ICT StandardizationThe importance of Quality Assurance for ICT Standardization
The importance of Quality Assurance for ICT Standardization
Axel Rennoch
 
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-InTrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc
 
Pigging Unit Lubricant Oil Blending Plant
Pigging Unit Lubricant Oil Blending PlantPigging Unit Lubricant Oil Blending Plant
Pigging Unit Lubricant Oil Blending Plant
LINUS PROJECTS (INDIA)
 

Recently uploaded (20)

WhatsApp Spy Online Trackers and Monitoring Apps
WhatsApp Spy Online Trackers and Monitoring AppsWhatsApp Spy Online Trackers and Monitoring Apps
WhatsApp Spy Online Trackers and Monitoring Apps
 
Best Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdfBest Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdf
 
The Role of IoT in Australian Mobile App Development - PDF Guide
The Role of IoT in Australian Mobile App Development - PDF GuideThe Role of IoT in Australian Mobile App Development - PDF Guide
The Role of IoT in Australian Mobile App Development - PDF Guide
 
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
 
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdfBT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
 
Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024
 
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
 
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
 
Salesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot WorkshopSalesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot Workshop
 
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdfAcumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
 
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptxRPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
 
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
 
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptxDublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
 
Data Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining DataData Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining Data
 
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
 
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
 
Using LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and MilvusUsing LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and Milvus
 
The importance of Quality Assurance for ICT Standardization
The importance of Quality Assurance for ICT StandardizationThe importance of Quality Assurance for ICT Standardization
The importance of Quality Assurance for ICT Standardization
 
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-InTrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
 
Pigging Unit Lubricant Oil Blending Plant
Pigging Unit Lubricant Oil Blending PlantPigging Unit Lubricant Oil Blending Plant
Pigging Unit Lubricant Oil Blending Plant
 

Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use by Puppet: The BlackBox project (Intermediate) - Thomas A. Limoncelli, Stack Exchange

  • 1. The BlackBox project Safely storing secrets and credentials in Git for use by Puppet Tom Limoncelli, SRE, StackExchange.com Blog: EverythingSysadmin.com
  • 3. What are secrets? Anything you don’t want exposed externally. ● SSL Certificates (the private bits) ● Passwords ● API keys
  • 6. If you store secrets in git, you’re gonna have a bad time.
  • 7. ● Laptops get stolen. ● Workstations have guest accounts ● “Circle of Trust” now includes: ○ Everyone with admin access to workstations. ■ Your desktop support people? ○ Everyone with admin access to your git server: ■ Server team, storage team, backup team ○ Everyone you collaborate with that wants read-only access to Puppet manifests.
  • 8. You have 3 bad options: 1. Deny git access. (Hurts collaboration) 2. Permit git access. (Hurts security) 3. Email individual files. (Hurts… just hurts)
  • 9. Option 4: Encrypt secret parts ● If a file contains secrets, encrypt before checking into Git. ● Need to edit a secret? ○ Decrypt - Edit - Encrypt
  • 10. What about Puppet master? ● After “git pull”, decrypt all files. ○ Automate this as part of CI. ● Files are unencrypted “at rest”. ● This does not decrease security: ○ No worse than what we were doing before. ○ If you can break into root or puppet on the master, you’ve already won.
  • 11. Easy, right? Decrypt: gpg -q --decrypt -o secret.crt secret.crt.gpg Encrypt: gpg --yes --trust-model=always --encrypt -o secret.crt.gpg $(<keynames) secret.crt
  • 12. Easy, right? Decrypt: gpg -q --decrypt -o secret.crt secret.crt.gpg Encrypt: gpg --yes --trust-model=always --encrypt -o secret.crt.gpg $(<keynames) secret.crt ● ...and don’t make any typos when entering the command ● ...and don't accidentally check in the unencrypted version
  • 13. Security is 1% technology plus 99% following the procedures correctly. Any process with more than 1 step probably won't be followed consistently most of the time. Related reading: "Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0”, Alma Whitten", Usenix Security 1999
  • 14. Therefore…. we automate Introducing: Blackbox Scripts for keeping Puppet secrets in git/hg.
  • 15. User commands: Decrypt for editing: blackbox_edit_start.sh file Encrypt when done: blackbox_edit_end.sh file
  • 16. First time a file is encrypted: Enroll a file into the system: blackbox_register_new_file.sh file
  • 17. Commands that act on all GPG files: Decrypt all files: (for use on puppet master) blackbox_postdeploy.sh Re-encrypt all files: (after new users added) blackbox_update_all_files.sh
  • 18. Everyone has their own key This doesn’t use “symmetric encryption” where there is one passphrase to decrypt/encrypt all files. We maintain a keyring of: ● Each person that should have access. ● A key for the Puppet master.
  • 19. Indoctrinate a new user: 1. New user does this: ● Create GPG key. ● Add their username@host to blackbox-admins. txt ● git commit -a (Currently a doc, not a script. Patches gladly accepted.)
  • 20. Indoctrinate a new user: 2. Existing admin does this: $ gpg --import keyrings/live/pubring.gpg $ blackbox_update_all_files.sh $ git commit -a
  • 21. Demo: Edit a file
  • 22. Demo: Edit a file
  • 23. Demo: Edit a file
  • 24. Demo: Edit a file
  • 25. Demo: Edit a file
  • 26. Demo: Edit a file
  • 27. Demo: Edit a file
  • 30. Code is open source as of TODAY ● Entirely written in bash. ● MIT License. ● Download it now: ○ https://github.com/StackExchange/blackbox
  • 31. In the project’s first 9 months: StackExchange/ServerFault has eliminated plaintext secrets in our Puppet git repo. ● 7 SREs+Devs sharing the repo securely. ● 50+ files now stored encrypted. ○ Mostly SSL certs and SSH private keys. ● 40+ individual passwords/API keys: ○ Everything from SNMP communities, SaaS API keys, and many many passwords.
  • 32. Future plans ❏ Open source scripts. ❏ More usability enhancements. ❏ Better setup documentation.
  • 33. Join the open source project http://github.com/StackExchange/blackbox
  • 34. Q&A URLs from this talk: https://github.com/StackExchange/blackbox EverythingSysadmin.com
  • 35. Shameless plug Pre-order now! Save 35% Ships in September. informit.com/TPOSA Discount code TPOSA35 Read “rough cuts” today: safaribooksonline.com
  • 36. Q&A URLs from this talk: https://github.com/StackExchange/blackbox EverythingSysadmin.com informit.com/TPOSA (code TPOSA35)
  • 37. ● Easier transition. No Puppet code changes for big files like SSL certs. ● Faster. Zero run-time performance impact on master. ● eyaml didn’t exist when we started. Why didn’t we use eyaml?