The challenge of balancing the need for security with the need for usability is nothing new. Managing secrets when using configuration management tools like Chef is no exception to this rule. Add in the fact that there are multiple tools attempting to solve this problem - each with advantages and drawbacks - and the balance becomes even more precarious! This talk will provide a brief overview of secrets management and then take a deep, technical dive into one tool in particular - Chef Vault. You will walk away understanding how it works - what theories and technologies drive it - as well as how to use it and evaluate whether Chef Vault is the right tool for your particular need. You will also walk away knowing the limitations of Chef Vault - it is not the right tool for every secrets management situation - and how to evaluate whether you safely can work around those limits or need to look at another tool.
19. We will focus on Chef
Vault, but we will also
explore alternatives
20. Chef Vault: A Deep Dive @nellshamrell
• Sr. Software Engineer at Chef
• Core maintainer of Supermarket and Habitat
• Co-host of Foodfight Podcast
• @nellshamrell
• nshamrell@chef.io
Nell Shamrell-Harrington
22. Chef Vault: A Deep Dive @nellshamrell
Load Balancer
Database
App Node 1 App Node 2App Node 3
23. Chef Vault: A Deep Dive @nellshamrell
Encrypted Data bags
$ cat my_item.json
{“db_password”:“some_password”}
Workstation
JSON file with data
24. Chef Vault: A Deep Dive @nellshamrell
$ openssl rand -base64 512 | tr -d 'rn' > my_key
Workstation
Generates a key
Encrypted Data bags
25. Chef Vault: A Deep Dive @nellshamrell
$
Workstation
my_key
Encrypted Data bags
26. Chef Vault: A Deep Dive @nellshamrell
my_databag
$ knife data bag from file my_databag my_item.json
Workstation
my_key
my_item_info
my_item
Creates data bag
Encrypted Data bags
27. Chef Vault: A Deep Dive @nellshamrell
$ knife data bag from file my_databag my_item.json
--secret-file /path/to/my_key
Workstation
my_key
my_databag
my_item
my_key
Encrypted Data bags
Key to
encrypt
data bag
28. Chef Vault: A Deep Dive @nellshamrell
$
my_key
Workstation
my_key
my_databag
my_item
Encrypted Data bags
29. Chef Vault: A Deep Dive @nellshamrell
$ knife data bag show my_databage my_item
—secret-file /path/to/my_key
Workstation
my_key
my_key
my_databag
my_item
Encrypted Data bags
Shows data bag
30. Chef Vault: A Deep Dive @nellshamrell
$ knife data bag show my_databage my_item
—secret-file /path/to/my_key
Workstation
my_key
my_key
my_databag
my_item
Encrypted Data bags
Key to
decrypt
data bag
31. Chef Vault: A Deep Dive @nellshamrell
Workstation
my_key
my_databag
my_item
my_item_info
$ knife data bag show my_databage my_item
—secret-file /path/to/my_key
Encrypted Data bags
32. Chef Vault: A Deep Dive @nellshamrell
workstation_1 workstation_2 workstation_3
my_databag
my_item
Encrypted Data bags
33. Chef Vault: A Deep Dive @nellshamrell
workstation_1 workstation_2 workstation_3
my_key my_key my_key
my_databag
my_item
Encrypted Data bags
34. Chef Vault: A Deep Dive @nellshamrell
workstation_1 workstation_2 workstation_3
my_key my_key my_key
node_1
my_key
node_2
my_key
node_3
my_key
my_databag
my_item
Encrypted Data bags
35. Chef Vault: A Deep Dive @nellshamrell
• Limited by need to distribute and
share a key
Encrypted Data bags
36. Chef Vault: A Deep Dive @nellshamrell
• Limited by need to distribute and
share a key
• What if someone leaves?
Encrypted Data bags
37. Chef Vault: A Deep Dive @nellshamrell
• Limited by need to distribute and share
a key
• What if someone leaves?
• If the key is compromised on one
node/workstation, data is compromised
for all nodes/workstations
Encrypted Data bags
41. Chef Vault: A Deep Dive @nellshamrell
• Originally created by Nordstrom Chefs!
Chef Vault
42. Chef Vault: A Deep Dive @nellshamrell
• Originally created by Nordstrom Chefs!
• Ownership transferred to Chef in 2015
Chef Vault
43. Chef Vault: A Deep Dive @nellshamrell
• Originally created by Nordstrom Chefs!
• Ownership transferred to Chef in 2015
• Completely open source
• https://github.com/chef/chef-vault
Chef Vault
44. Chef Vault: A Deep Dive @nellshamrell
Chef Vault
Chef Server
45. Chef Vault: A Deep Dive @nellshamrell
Chef Server
node_2
node_1
Chef Vault
46. Chef Vault: A Deep Dive @nellshamrell
Chef Server
node_1
node_2
node_1_client
node_2_client
Chef Vault
47. Chef Vault: A Deep Dive @nellshamrell
Chef Server
node_1
node_2
key_1
key_2
Chef Vault
node_1_client
node_2_client
48. Chef Vault: A Deep Dive @nellshamrell
Chef Server
node_1
node_2
key_1.pub
key_2.pub
key_1
key_2
Chef Vault
node_1_client
node_2_client
49. Chef Vault: A Deep Dive @nellshamrell
Chef Server
user_1
user_2
Chef Vault
50. Chef Vault: A Deep Dive @nellshamrell
Chef Server
user_1
user_2
user_1
user_2
Chef Vault
51. Chef Vault: A Deep Dive @nellshamrell
Chef Server
user_1
user_2
user_1
user_2
key_3
key_4
Chef Vault
52. Chef Vault: A Deep Dive @nellshamrell
Chef Server
user_1
user_2
user_1
user_2
key_3.pub
key_4.pub
key_3
key_4
Chef Vault
53. Chef Vault: A Deep Dive @nellshamrell
my_vault
my_item
Chef Vault
54. Chef Vault: A Deep Dive @nellshamrell
my_vault
my_item
shared_key
Chef Vault
55. Chef Vault: A Deep Dive @nellshamrell
my_vault
my_item
user_1 node_1
shared_key
Chef Vault
56. Chef Vault: A Deep Dive @nellshamrell
my_vault
my_item
user_1
key_3
node_1
key_1
shared_key
Chef Vault
57. Chef Vault: A Deep Dive @nellshamrell
my_vault
my_item
user_1
key_3
node_1
shared_key
copy
shared_key
copy
key_1
shared_key
Chef Vault
58. Chef Vault: A Deep Dive @nellshamrell
my_vault
my_item
user_1
key_3
node_1
shared_key
copy
shared_key
copy
key_1key_3
key_1
shared_key
Chef Vault
59. Chef Vault: A Deep Dive @nellshamrell
my_vault
my_item
user_1
key_3
node_1
shared_key
copy
shared_key
copy
key_1
key_1
shared_key
Decrypts
Chef Vault
60. Chef Vault: A Deep Dive @nellshamrell
my_vault
my_item
user_1
key_3
node_1
shared_key
copy
shared_key
copy
key_1
key_1
Chef Vault
Decrypts
61. Chef Vault: A Deep Dive @nellshamrell
my_vault
my_item
user_1
key_3
node_1
shared_key
copy
shared_key
copy
key_1
Chef Vault
Decrypts
62. Chef Vault: A Deep Dive @nellshamrell
my_vault
my_item
user_1
key_3
node_1
shared_key
copy
shared_key
copy
key_1
Chef Vault
Decrypts
63. Chef Vault uses layers of
encryption to balance
security and usability
64. Chef Vault: A Deep Dive @nellshamrell
Chef Server
node_1
node_2
user_1
user_2
Chef Vault
65. Chef Vault: A Deep Dive @nellshamrell
Creating a Vault
Workstation
$ gem install chef-vault
Installs Chef Vault
66. Chef Vault: A Deep Dive @nellshamrell
Creating a Vault
Workstation
$ knife vault create my_vault my_item
Creates vault
67. Chef Vault: A Deep Dive @nellshamrell
Creating a Vault
$ knife vault create my_vault my_item
-A “user_1,user_2”
Workstation
Users with access to vault
68. Chef Vault: A Deep Dive @nellshamrell
Creating a Vault
$ knife vault create my_vault my_item
-A “user_1,user_2,node_1,node_2”
Workstation
Nodes with access to vault
69. Chef Vault: A Deep Dive @nellshamrell
Creating a Vault
$ knife vault create my_vault my_item
-A “user_1,user_2,node_1,node_2” -M client
Workstation
Mode (client or solo)
70. Chef Vault: A Deep Dive @nellshamrell
Creating a Vault
$ knife vault create my_vault my_item
-A “user_1,user_2,node_1,node_2” -M client -J ./
my_item.json
Workstation
File with data
71. Chef Vault: A Deep Dive @nellshamrell
Creating a Vault
Workstation
my_vault
my_item
$ knife vault create my_vault my_item
-A “user_1,user_2,node_1,node_2” -M client -J ./
my_item.json
72. Chef Vault: A Deep Dive @nellshamrell
Creating a Vault
Workstation
my_vault
my_item my_item_keys
Authorized keys
$ knife vault create my_vault my_item
-A “user_1,user_2,node_1,node_2” -M client -J ./
my_item.json
73. Chef Vault: A Deep Dive @nellshamrell
Creating a Vault
$ knife vault show my_vault my_item
Workstation
my_vault
my_item my_item_keys
Shows vault
74. Chef Vault: A Deep Dive @nellshamrell
Viewing a Vault
$ knife vault show my_vault my_item
db_password: some_password
id: my_item
Workstation
75. Chef Vault: A Deep Dive @nellshamrell
Viewing a Vault
$ knife vault show my_vault my_item
db_password:
cipher: aes-256-cbc
encrypted_data:
dsiBtNHX8Sbis42yKuYBvbdNXPpu8bQfJrS20op7zoys
fR8roFlzp
VHyoaG2
4yb3
Unauthorized Workstation
77. Chef Vault: A Deep Dive @nellshamrell
Using a Vault in a Recipe
metadata.rb
gem ‘chef-vault’
78. Chef Vault: A Deep Dive @nellshamrell
Using a Vault in a Recipe
recipe.rb
chef_gem ‘chef-vault’ do
compile_time true if respond_to?(:compile_time)
end
79. Chef Vault: A Deep Dive @nellshamrell
Using a Vault in a Recipe
chef_gem ‘chef-vault’ do
compile_time true if respond_to?(:compile_time)
end
require ‘chef-vault’
recipe.rb
80. Chef Vault: A Deep Dive @nellshamrell
Using a Vault in a Recipe
chef_gem ‘chef-vault’ do
compile_time true if respond_to?(:compile_time)
end
require ‘chef-vault’
vault = chef_vault_item(“my_vault”, “my_item”)
recipe.rb
81. Chef Vault: A Deep Dive @nellshamrell
Using a Vault in a Recipe
chef_gem ‘chef-vault’ do
compile_time true if respond_to?(:compile_time)
end
require ‘chef-vault’
vault = chef_vault_item(“my_vault”, “my_item”)
node.set[‘database’][‘password’] = vault[‘password’]
recipe.rb
83. Chef Vault: A Deep Dive @nellshamrell
Editing a Vault
$ knife vault edit my_vault my_item
Workstation
my_vault
my_item my_item_keys
Edits vault
84. Chef Vault: A Deep Dive @nellshamrell
Adding a User or Node
$ knife vault update my_vault my_keys -A “new-
username”
Workstation
my_vault
my_item my_item_keys
Adds user/node
85. Chef Vault: A Deep Dive @nellshamrell
Removing a User or Node
$ knife vault remove my_vault my_item -A
“some_user”
Workstation
my_vault
my_item my_item_keys
Remove user/node
86. Chef Vault: A Deep Dive @nellshamrell
Refreshing Keys
$ knife vault refresh my_vault my_item
Workstation
my_vault
my_item my_item_keys
Refresh user/node keys
87. Chef Vault: A Deep Dive @nellshamrell
Destroying a Vault
$ knife vault delete my_vault my_item
Workstation
my_vault
my_item my_item_keys
Destroys vault item
88. Chef Vault: A Deep Dive @nellshamrell
Destroying a Vault
$ knife vault delete my_vault my_item
Workstation
my_vault
89. Chef Vault: A Deep Dive @nellshamrell
Destroying a Vault
$ knife data bag delete my_vault
Workstation
my_vault
Destroys vault
90. Chef Vault: A Deep Dive @nellshamrell
Destroying a Vault
$ knife data bag delete my_vault
Workstation
98. Chef Vault: A Deep Dive @nellshamrell
• Adding new nodes requires human
intervention
• Not compatible with autoscaling
groups
Chef Vault
99. Chef Vault: A Deep Dive @nellshamrell
• Adding new nodes requires human
intervention
• Not compatible with autoscaling groups
• Could theoretically have one node
keep all keys and distribute those - but
that is a major security risk
Chef Vault
100. Chef Vault: A Deep Dive @nellshamrell
• No audit logs of access
Chef Vault
102. Chef Vault: A Deep Dive @nellshamrell
• Alternatives
• Hashicorp Vault (https://
www.vaultproject.io)
Chef Vault
103. Chef Vault: A Deep Dive @nellshamrell
• Alternatives
• Hashicorp Vault (https://
www.vaultproject.io)
• Citadel (https://github.com/poise/
citadel)
Chef Vault
106. Chef Vault: A Deep Dive @nellshamrell
• Where is your infrastructure?
(Citadel is AWS only)
Considerations
107. Chef Vault: A Deep Dive @nellshamrell
• Where is your infrastructure? (Citadel
is AWS only)
• Do you need autoscaling groups?
(Chef Vault is not a good fit)
Considerations
108. Chef Vault: A Deep Dive @nellshamrell
• Where is your infrastructure? (Citadel
is AWS only)
• Do you need autoscaling groups?
(Chef Vault is not a good fit)
• Do you want dynamic secrets?
(Hashicorp vault is your best bet)
Considerations
112. Chef Vault: A Deep Dive @nellshamrell
• Sr. Software Engineer at Chef
• Core maintainer of Supermarket and Habitat
• Co-host of Foodfight Podcast
• @nellshamrell
• nshamrell@chef.io
Nell Shamrell-Harrington