The challenge of balancing the need for security with the need for usability is nothing new. Managing secrets when using configuration management tools like Chef is no exception to this rule. Add in the fact that there are multiple tools attempting to solve this problem - each with advantages and drawbacks - and the balance becomes even more precarious! This talk will provide a brief overview of secrets management and then take a deep, technical dive into one tool in particular - Chef Vault. You will walk away understanding how it works - what theories and technologies drive it - as well as how to use it and evaluate whether Chef Vault is the right tool for your particular need. You will also walk away knowing the limitations of Chef Vault - it is not the right tool for every secrets management situation - and how to evaluate whether you safely can work around those limits or need to look at another tool.

1. Chef Vault: A Deep Dive
Nell Shamrell-Harrington
@nellshamrell
Chef Conf 2017

2. What do I do when I need
to share static information
among my nodes?

3. Chef Vault: A Deep Dive @nellshamrell
App Node 1 App Node 2

4. Chef Vault: A Deep Dive @nellshamrell
Database
App Node 1 App Node 2

5. Chef Vault: A Deep Dive @nellshamrell
Load Balancer
Database
App Node 1 App Node 2

6. Chef Vault: A Deep Dive @nellshamrell
Load Balancer
Database
App Node 1 App Node 2

7. Chef Vault: A Deep Dive @nellshamrell
Load Balancer
Database
App Node 1 App Node 2App Node 3

8. Use a data bag!

9. What if that information
needs to be encrypted?

10. It’s a little more
complicated…

11. Secrets management systems
must find a balance between
security and usability

12. Preventing unauthorized
access is only half of
managing security

13. Security must also enable
authorized users to access
what they need when
they need it

14. A system that is secure
but unusable is
inherently insecure

15. When choosing a secret
management tool, you
must understand…

16. 1. Your own environment

17. 1. Your own environment
2. The capabilities and
limits of the tool

18. No tool is one
size fits all.

19. We will focus on Chef
Vault, but we will also
explore alternatives

20. Chef Vault: A Deep Dive @nellshamrell
• Sr. Software Engineer at Chef
• Core maintainer of Supermarket and Habitat
• Co-host of Foodfight Podcast
• @nellshamrell
• nshamrell@chef.io
Nell Shamrell-Harrington

21. Encrypted Data bags

22. Chef Vault: A Deep Dive @nellshamrell
Load Balancer
Database
App Node 1 App Node 2App Node 3

23. Chef Vault: A Deep Dive @nellshamrell
Encrypted Data bags
$ cat my_item.json
{“db_password”:“some_password”}
Workstation
JSON file with data

24. Chef Vault: A Deep Dive @nellshamrell
$ openssl rand -base64 512 | tr -d 'rn' > my_key
Workstation
Generates a key
Encrypted Data bags

25. Chef Vault: A Deep Dive @nellshamrell
$
Workstation
my_key
Encrypted Data bags

26. Chef Vault: A Deep Dive @nellshamrell
my_databag
$ knife data bag from file my_databag my_item.json
Workstation
my_key
my_item_info
my_item
Creates data bag
Encrypted Data bags

27. Chef Vault: A Deep Dive @nellshamrell
$ knife data bag from file my_databag my_item.json
--secret-file /path/to/my_key
Workstation
my_key
my_databag
my_item
my_key
Encrypted Data bags
Key to
encrypt
data bag

28. Chef Vault: A Deep Dive @nellshamrell
$
my_key
Workstation
my_key
my_databag
my_item
Encrypted Data bags

29. Chef Vault: A Deep Dive @nellshamrell
$ knife data bag show my_databage my_item
—secret-file /path/to/my_key
Workstation
my_key
my_key
my_databag
my_item
Encrypted Data bags
Shows data bag

30. Chef Vault: A Deep Dive @nellshamrell
$ knife data bag show my_databage my_item
—secret-file /path/to/my_key
Workstation
my_key
my_key
my_databag
my_item
Encrypted Data bags
Key to
decrypt
data bag

31. Chef Vault: A Deep Dive @nellshamrell
Workstation
my_key
my_databag
my_item
my_item_info
$ knife data bag show my_databage my_item
—secret-file /path/to/my_key
Encrypted Data bags

32. Chef Vault: A Deep Dive @nellshamrell
workstation_1 workstation_2 workstation_3
my_databag
my_item
Encrypted Data bags

33. Chef Vault: A Deep Dive @nellshamrell
workstation_1 workstation_2 workstation_3
my_key my_key my_key
my_databag
my_item
Encrypted Data bags

34. Chef Vault: A Deep Dive @nellshamrell
workstation_1 workstation_2 workstation_3
my_key my_key my_key
node_1
my_key
node_2
my_key
node_3
my_key
my_databag
my_item
Encrypted Data bags

35. Chef Vault: A Deep Dive @nellshamrell
• Limited by need to distribute and
share a key
Encrypted Data bags

36. Chef Vault: A Deep Dive @nellshamrell
• Limited by need to distribute and
share a key
• What if someone leaves?
Encrypted Data bags

37. Chef Vault: A Deep Dive @nellshamrell
• Limited by need to distribute and share
a key
• What if someone leaves?
• If the key is compromised on one
node/workstation, data is compromised
for all nodes/workstations
Encrypted Data bags

38. Key rotation is hard…

39. …but it’s not impossible

40. Chef Vault is one
approach to solving
this problem

41. Chef Vault: A Deep Dive @nellshamrell
• Originally created by Nordstrom Chefs!
Chef Vault

42. Chef Vault: A Deep Dive @nellshamrell
• Originally created by Nordstrom Chefs!
• Ownership transferred to Chef in 2015
Chef Vault

43. Chef Vault: A Deep Dive @nellshamrell
• Originally created by Nordstrom Chefs!
• Ownership transferred to Chef in 2015
• Completely open source
• https://github.com/chef/chef-vault
Chef Vault

44. Chef Vault: A Deep Dive @nellshamrell
Chef Vault
Chef Server

45. Chef Vault: A Deep Dive @nellshamrell
Chef Server
node_2
node_1
Chef Vault

46. Chef Vault: A Deep Dive @nellshamrell
Chef Server
node_1
node_2
node_1_client
node_2_client
Chef Vault

47. Chef Vault: A Deep Dive @nellshamrell
Chef Server
node_1
node_2
key_1
key_2
Chef Vault
node_1_client
node_2_client

48. Chef Vault: A Deep Dive @nellshamrell
Chef Server
node_1
node_2
key_1.pub
key_2.pub
key_1
key_2
Chef Vault
node_1_client
node_2_client

49. Chef Vault: A Deep Dive @nellshamrell
Chef Server
user_1
user_2
Chef Vault

50. Chef Vault: A Deep Dive @nellshamrell
Chef Server
user_1
user_2
user_1
user_2
Chef Vault

51. Chef Vault: A Deep Dive @nellshamrell
Chef Server
user_1
user_2
user_1
user_2
key_3
key_4
Chef Vault

52. Chef Vault: A Deep Dive @nellshamrell
Chef Server
user_1
user_2
user_1
user_2
key_3.pub
key_4.pub
key_3
key_4
Chef Vault

53. Chef Vault: A Deep Dive @nellshamrell
my_vault
my_item
Chef Vault

54. Chef Vault: A Deep Dive @nellshamrell
my_vault
my_item
shared_key
Chef Vault

55. Chef Vault: A Deep Dive @nellshamrell
my_vault
my_item
user_1 node_1
shared_key
Chef Vault

56. Chef Vault: A Deep Dive @nellshamrell
my_vault
my_item
user_1
key_3
node_1
key_1
shared_key
Chef Vault

57. Chef Vault: A Deep Dive @nellshamrell
my_vault
my_item
user_1
key_3
node_1
shared_key
copy
shared_key
copy
key_1
shared_key
Chef Vault

58. Chef Vault: A Deep Dive @nellshamrell
my_vault
my_item
user_1
key_3
node_1
shared_key
copy
shared_key
copy
key_1key_3
key_1
shared_key
Chef Vault

59. Chef Vault: A Deep Dive @nellshamrell
my_vault
my_item
user_1
key_3
node_1
shared_key
copy
shared_key
copy
key_1
key_1
shared_key
Decrypts
Chef Vault

60. Chef Vault: A Deep Dive @nellshamrell
my_vault
my_item
user_1
key_3
node_1
shared_key
copy
shared_key
copy
key_1
key_1
Chef Vault
Decrypts

61. Chef Vault: A Deep Dive @nellshamrell
my_vault
my_item
user_1
key_3
node_1
shared_key
copy
shared_key
copy
key_1
Chef Vault
Decrypts

62. Chef Vault: A Deep Dive @nellshamrell
my_vault
my_item
user_1
key_3
node_1
shared_key
copy
shared_key
copy
key_1
Chef Vault
Decrypts

63. Chef Vault uses layers of
encryption to balance
security and usability

64. Chef Vault: A Deep Dive @nellshamrell
Chef Server
node_1
node_2
user_1
user_2
Chef Vault

65. Chef Vault: A Deep Dive @nellshamrell
Creating a Vault
Workstation
$ gem install chef-vault
Installs Chef Vault

66. Chef Vault: A Deep Dive @nellshamrell
Creating a Vault
Workstation
$ knife vault create my_vault my_item
Creates vault

67. Chef Vault: A Deep Dive @nellshamrell
Creating a Vault
$ knife vault create my_vault my_item
-A “user_1,user_2”
Workstation
Users with access to vault

68. Chef Vault: A Deep Dive @nellshamrell
Creating a Vault
$ knife vault create my_vault my_item
-A “user_1,user_2,node_1,node_2”
Workstation
Nodes with access to vault

69. Chef Vault: A Deep Dive @nellshamrell
Creating a Vault
$ knife vault create my_vault my_item
-A “user_1,user_2,node_1,node_2” -M client
Workstation
Mode (client or solo)

70. Chef Vault: A Deep Dive @nellshamrell
Creating a Vault
$ knife vault create my_vault my_item
-A “user_1,user_2,node_1,node_2” -M client -J ./
my_item.json
Workstation
File with data

71. Chef Vault: A Deep Dive @nellshamrell
Creating a Vault
Workstation
my_vault
my_item
$ knife vault create my_vault my_item
-A “user_1,user_2,node_1,node_2” -M client -J ./
my_item.json

72. Chef Vault: A Deep Dive @nellshamrell
Creating a Vault
Workstation
my_vault
my_item my_item_keys
Authorized keys
$ knife vault create my_vault my_item
-A “user_1,user_2,node_1,node_2” -M client -J ./
my_item.json

73. Chef Vault: A Deep Dive @nellshamrell
Creating a Vault
$ knife vault show my_vault my_item
Workstation
my_vault
my_item my_item_keys
Shows vault

74. Chef Vault: A Deep Dive @nellshamrell
Viewing a Vault
$ knife vault show my_vault my_item
db_password: some_password
id: my_item
Workstation

75. Chef Vault: A Deep Dive @nellshamrell
Viewing a Vault
$ knife vault show my_vault my_item
db_password:
cipher: aes-256-cbc
encrypted_data:
dsiBtNHX8Sbis42yKuYBvbdNXPpu8bQfJrS20op7zoys
fR8roFlzp
VHyoaG2
4yb3
Unauthorized Workstation

76. Using Chef Vault

77. Chef Vault: A Deep Dive @nellshamrell
Using a Vault in a Recipe
metadata.rb
gem ‘chef-vault’

78. Chef Vault: A Deep Dive @nellshamrell
Using a Vault in a Recipe
recipe.rb
chef_gem ‘chef-vault’ do
compile_time true if respond_to?(:compile_time)
end

79. Chef Vault: A Deep Dive @nellshamrell
Using a Vault in a Recipe
chef_gem ‘chef-vault’ do
compile_time true if respond_to?(:compile_time)
end
require ‘chef-vault’
recipe.rb

80. Chef Vault: A Deep Dive @nellshamrell
Using a Vault in a Recipe
chef_gem ‘chef-vault’ do
compile_time true if respond_to?(:compile_time)
end
require ‘chef-vault’
vault = chef_vault_item(“my_vault”, “my_item”)
recipe.rb

81. Chef Vault: A Deep Dive @nellshamrell
Using a Vault in a Recipe
chef_gem ‘chef-vault’ do
compile_time true if respond_to?(:compile_time)
end
require ‘chef-vault’
vault = chef_vault_item(“my_vault”, “my_item”)
node.set[‘database’][‘password’] = vault[‘password’]
recipe.rb

82. Maintaining a Chef Vault

83. Chef Vault: A Deep Dive @nellshamrell
Editing a Vault
$ knife vault edit my_vault my_item
Workstation
my_vault
my_item my_item_keys
Edits vault

84. Chef Vault: A Deep Dive @nellshamrell
Adding a User or Node
$ knife vault update my_vault my_keys -A “new-
username”
Workstation
my_vault
my_item my_item_keys
Adds user/node

85. Chef Vault: A Deep Dive @nellshamrell
Removing a User or Node
$ knife vault remove my_vault my_item -A
“some_user”
Workstation
my_vault
my_item my_item_keys
Remove user/node

86. Chef Vault: A Deep Dive @nellshamrell
Refreshing Keys
$ knife vault refresh my_vault my_item
Workstation
my_vault
my_item my_item_keys
Refresh user/node keys

87. Chef Vault: A Deep Dive @nellshamrell
Destroying a Vault
$ knife vault delete my_vault my_item
Workstation
my_vault
my_item my_item_keys
Destroys vault item

88. Chef Vault: A Deep Dive @nellshamrell
Destroying a Vault
$ knife vault delete my_vault my_item
Workstation
my_vault

89. Chef Vault: A Deep Dive @nellshamrell
Destroying a Vault
$ knife data bag delete my_vault
Workstation
my_vault
Destroys vault

90. Chef Vault: A Deep Dive @nellshamrell
Destroying a Vault
$ knife data bag delete my_vault
Workstation

91. Real Life Example:
Supermarket

92. Chef Vault: A Deep Dive @nellshamrell
Load Balancer
Postgres
DB
App Node App Node App Node
Redis
Cache
Supermarket Production

93. Chef Vault: A Deep Dive @nellshamrell
Load Balancer
Postgres
DB
App Node App Node App Node
Redis
Cache
Supermarket Staging

94. Chef Vault: A Deep Dive @nellshamrell
apps

95. Chef Vault: A Deep Dive @nellshamrell
apps
supermarket_staging
supermarket_prod

96. Chef Vault: A Deep Dive @nellshamrell
apps
supermarket_staging
supermarket_prod
supermarket_staging_keys
supermarket_prod_keys

97. Limits of Chef Vault

98. Chef Vault: A Deep Dive @nellshamrell
• Adding new nodes requires human
intervention
• Not compatible with autoscaling
groups
Chef Vault

99. Chef Vault: A Deep Dive @nellshamrell
• Adding new nodes requires human
intervention
• Not compatible with autoscaling groups
• Could theoretically have one node
keep all keys and distribute those - but
that is a major security risk
Chef Vault

100. Chef Vault: A Deep Dive @nellshamrell
• No audit logs of access
Chef Vault

101. Chef Vault Alternatives

102. Chef Vault: A Deep Dive @nellshamrell
• Alternatives
• Hashicorp Vault (https://
www.vaultproject.io)
Chef Vault

103. Chef Vault: A Deep Dive @nellshamrell
• Alternatives
• Hashicorp Vault (https://
www.vaultproject.io)
• Citadel (https://github.com/poise/
citadel)
Chef Vault

104. Which tool is best?

105. It depends on your
needs…

106. Chef Vault: A Deep Dive @nellshamrell
• Where is your infrastructure?
(Citadel is AWS only)
Considerations

107. Chef Vault: A Deep Dive @nellshamrell
• Where is your infrastructure? (Citadel
is AWS only)
• Do you need autoscaling groups?
(Chef Vault is not a good fit)
Considerations

108. Chef Vault: A Deep Dive @nellshamrell
• Where is your infrastructure? (Citadel
is AWS only)
• Do you need autoscaling groups?
(Chef Vault is not a good fit)
• Do you want dynamic secrets?
(Hashicorp vault is your best bet)
Considerations

109. Key rotation is hard…

110. …but it’s not impossible

111. Encrypted information systems
must find a balance between
security and accessibility

112. Chef Vault: A Deep Dive @nellshamrell
• Sr. Software Engineer at Chef
• Core maintainer of Supermarket and Habitat
• Co-host of Foodfight Podcast
• @nellshamrell
• nshamrell@chef.io
Nell Shamrell-Harrington