3. Harm:
Unauthorized data access,
identity spoofing, private data
egress, fines
Secret:
Something that would increase
your risk if someone else got it
Secret vs.
sensitive data:
▪ Secret: used for auth
▪ Sensitive: confidential
What’s a secret?
4. Vault secures, stores, and tightly controls access to tokens,
passwords, certificates, API keys, and other secrets in modern
computing. Vault handles leasing, key revocation, key rolling,
and auditing. Through aunified API, users can accessan
encrypted Key/Value store and network encryption-as-a-
service, or generate AWS IAM/STS credentials, SQL/NoSQL
databases,X.509 certificates, SSH credentials, and more.
Vault software engineer at HashiCorp
5. W
h
y do
secrets
matter?
▪ Data breaches are a routine occurrence these
days.
▪ These can result in lawsuits and fines (GDPR) for
the breachee.
▪ Victims whose personal information was stolen
face privacy loss & identity theft.
▪ Securing your secrets can prevent or limit scope of
breaches.
7. Keep track of who
you told
Tell as few people
as possible
Try not to have long-
term secrets
What’s a secret?
8. Howdoes Vault help you keep a secret?
▪ Centralized secrets
▪ Identity-based authentication
▪ Automated secret rotation
▪ Audit Logs
9.
10. All consumers of Vault secrets must solve
two problems:
1. TypeofAuthentication to Vault
2. Authentication to Vault
3. Retrieval of secrets
Onboarding
applications
12. How can app prove to Vault who it is without
storing a secret outside of Vault?
Secure
Introduction
13. 1. Don't let authentication secrets live forever
2. Distribute auth secrets securely
3. Limit exposure if auth secrets disclosed
4. Have a break-glass procedure if auth secret stolen
5. Detect unauthorized access to auth secrets
Secure
Introduction
Best practices
14. Secure Introduction
Best practices
1. Don't let secrets live forever
2. Distribute secrets securely
3. Limit exposure:
your roles
4. Break-glass procedure:
5. Detect unauthorized access:
Limited uses, short ttl
Use principle of least privilege in
Use audit log and revoke API
App should alert if secret absent/no good
15. Options:
1. Deploy Vault token alongside app
2. Deploy approle roleid/secretid alongside app
3. Deploy TLS client certificates and use cert auth method
Secure
Introduction
On premise,
no scheduler
16. Option 1:Distributing tokens
One reason you might want to do this instead of using approle: it makes it easy
to use envconsul or consul-template
Ifdistributing tokens directly:
▪ use a token role, similar to what we do with approle roles
▪ distribute single-use token with a short TTL
▪ use response wrapping to embed another longer-lived token
19. Approle vs Userpass Authentication
Isn't role_id just a username and secret_id a password?
Differences between approle and userpass:
▪ approle can have multiple secret_ids for each role
– give each app a role, each app instance a secret_id
▪ secret_ids can be bound to specific CIDRs
▪ secret_ids can have TTLs and limited uses
22. ▪ Define an approle role with appropriate privileges,
restrictions
▪ Bundle Vault Agent and role_id along with your app
▪ Deliver single-use secret_id with short TTL to your
app/Agent
▪ Agent authenticates with role_id, secret_id
▪ Agent renders secrets via template, signals your app
▪ App reads rendered template, alerts if secrets
missing/unuseable
Review
Approle