The document discusses managing secrets in cloud environments, focusing on Azure Key Vault and Hashicorp Vault for secure storage, access control, and encryption of sensitive information like passwords, API tokens, and SSL certificates. It highlights the issues with secret management in applications, such as secret sprawl and access challenges, and introduces best practices for using these vault technologies effectively. Additionally, the document features a demo, comparisons between vault solutions, and strategies for integration with systems like Docker and Kubernetes.

1. Managing your Secrets in a
Cloud Environment
Taswar Bhatti
System/Solutions Architect at Gemalto (Canada)
Microsoft MVP

2. Is your personal data important?

3. Who am I
• Taswar Bhatti – Microsoft MVP since 2014
• Global Solutions Architect/System Architect at Gemalto
• In Software Industry since 2000
• I know Kung Fu (Languages)

5. Good old days robbery

6. Today’s Robbery

7. Data breach……

8. Consequences

9. System with no Trust

10. Salesman

11. Data breach??

12. Delivery

13. Agenda
• Intro
• What are we trying to solve with KeyVault?
• What is Azure Key Vault
• Using Azure Key Vault with your application
• Managed Service Identity
• Demo
• HashiCorp Vault
• Best practices
• Questions

14. So what are secrets?
• Secrets grants you AuthN or AuthZ to a system
• Examples
• Username & Passwords
• Database credentials
• API Token
• TLS Certs

15. Typical Application

16. Storing Configuration in file

17. Multiple application

18. Secret Sprawl
• Secrets ends up in
• Source Code
• Version Control Systems (Github, Gitlab, Bitbucket etc)
• Configuration Management (Chef, Puppet, Ansible etc)

20. Problems
• Configuration becomes part of deployment
• Multiple applications share the same configuration
• Hard to have access control over the configuration

21. Issues
• How do we know who has access to those secrets
• When was the last time they accessed it?
• What if we want to change/rotate the secrets

22. Desire secrets
• Encryption in rest and transit
• Only decrypted in memory
• Access control
• Rotation & Revocation

23. What is Azure Key Vault?
• Secrets Management - Azure Key Vault can be used to Securely store and
tightly control access to tokens, passwords, certificates, API keys, and other
secrets.
• Key Management - Azure Key Vault can also be used as a Key Management
solution. Azure Key Vault makes it easy to create and control the
encryption keys used to encrypt your data.
• Certificate Management - Azure Key Vault is also a service that lets you
easily provision, manage, and deploy public and private Secure Sockets
Layer/Transport Layer Security (SSL/TLS) certificates for use with Azure and
your internal connected resources.
• Store secrets backed by Hardware Security Modules - The secrets and keys
can be protected either by software or FIPS 140-2 Level 2 validates HSMs.

24. Gemalto Luna HSM (New)

25. PKCS11 Interop
• Managed .NET wrapper for unmanaged PKCS#11 libraries
• https://pkcs11interop.net/

26. Typical Application
• In web.config
<connectionStrings>
<add name="SqlDataConnection" connectionString="data
source=whatever.windows.net;initial catalog=MyDb;persist security
info=True;user
id=sa;password=P@$$w0rd;MultipleActiveResultSets=True;" />
</connectionStrings>

27. With Key Vault

31. Azure Key Vault
• Register your app with Active Directory
• Associated credential, and using that credential to get a token
• Retrieve your secrets from Key Vault
• PROBLEM SOLVED

32. Adding it back to web.config
• <add key="ClientId" value="clientid" />
• <add key="ClientSecret" value="clientsecret" />
• <!-- SecretUri is the URI for the secret in Azure Key Vault -->
• <add key="SecretUri" value="secreturi" />

33. Code that looks like this
ClientCredential clientCred = new ClientCredential(
WebConfigurationManager.AppSettings["ClientId"],
WebConfigurationManager.AppSettings["ClientSecret"]);

34. But????
• Confused??
• Isn’t that still in web.config?

35. Security doesn’t have to be like this

36. Managed Service Identity (MSI)
• MSI gives your code an automatically managed identity for
authenticating to Azure services, so that you can keep credentials out
of your code
• You create an identity for your application in Azure Active Directory
using Managed Service Identity

37. Benefits
• No need to authenticate to Azure Key Vault to get secrets
• No client id and client secret is needed in the code
• Easier to configure comparing to Azure Key Vault
• You can authenticate to any service that supports Azure AD
authentication

38. Demo

39. HSBC Hong Kong PayMe Hack

40. HashiCorp Vault
• Centralized Secret Management
• Encrypted at rest and transit
• Lease and Renewal
• ACL
• Audit Trail
• Multiple Client Auth Method (Ldap,Github, approle)
• Dynamic Secrets
• Encryption as a Service

41. Secure Secrets
• AES 256 with GCM encryption
• TLS 1.2 for clients
• No HSM is required
• One could also integrate with Azure Key Vault

42. Unsealing the Vault
• Vault requires encryption keys to encrypt data
• Shamir Secret Key Sharing
• Master key is split into multiple keys

43. Shamir Secret Sharing

44. Unseal
• Unseal Key 1: QZdnKsOyGXaWoB2viLBBWLlIpU+tQrQy49D+Mq24/V0B
• Unseal Key 2: 1pxViFucRZDJ+kpXAeefepdmLwU6QpsFZwseOIPqaPAC
• Unseal Key 3: bw+yIvxrXR5k8VoLqS5NGW4bjuZym2usm/PvCAaMh8UD
• Unseal Key 4: o40xl6lcQo8+DgTQ0QJxkw0BgS5n6XHNtWOgBbt7LKYE
• Unseal Key 5: Gh7WPQ6rWgGTBRSMecuj8PR8IM0vMIFkSZtRNT4dw5MF
• Initial Root Token: 5b781ff4-eee8-d6a1-ea42-88428a7e8815
• Vault initialized with 5 keys and a key threshold of 3. Please
• securely distribute the above keys. When the Vault is re-sealed,
• restarted, or stopped, you must provide at least 3 of these keys
• to unseal it again.
• Vault does not store the master key. Without at least 3 keys,
• your Vault will remain permanently sealed.

45. How to unseal
• vault unseal -address=${VAULT_ADDR}
QZdnKsOyGXaWoB2viLBBWLlIpU+tQrQy49D+Mq24/V0B
• vault unseal -address=${VAULT_ADDR}
bw+yIvxrXR5k8VoLqS5NGW4bjuZym2usm/PvCAaMh8UD
• vault unseal -address=${VAULT_ADDR}
Gh7WPQ6rWgGTBRSMecuj8PR8IM0vMIFkSZtRNT4dw5MF

46. Writing Secrets
• vault write -address=${VAULT_ADDR} secret/hello value=world
• vault read -address=${VAULT_ADDR} secret/hello
• Key Value
• --- -----
• refresh_interval 768h0m0s
• Value world

47. Policy on secrets
• We can assign application roles to the policy
path "secret/web/*" {
policy = "read"
}
• vault policy write -address=${VAULT_ADDR}
web-policy ${DIR}/web-policy.hcl

48. Reading secrets based on policy
• vault read -address=${VAULT_ADDR} secret/web/web-apps
• vault read -address=${VAULT_ADDR} secret/hello
• Error reading secret/hello: Error making API request.
• URL: GET http://127.0.0.1:8200/v1/secret/hello
• Code: 403. Errors:
• * permission denied

49. Docker and Secrets
• Docker does not have good integration with secrets
• If you use env variables, it will show in docker inspect

51. Mount Temp File System into App
• docker run –v /hostsecerts:/secerts ….
• To mitigate reading from Env
• Store your wrap token in the filesystem to use with vault
• Have limit time on wrap token

52. Wrap Token for App Secrets
• Limit time token
• Used to unwrap some secrets
• vault read -wrap-ttl=60s -address=http://127.0.0.1:8200
secret/weatherapp/config
• Key Value
• --- -----
• wrapping_token: 35093b2a-60d4-224d-5f16-b802c82de1e7
• wrapping_token_ttl: 1m0s
• wrapping_token_creation_time: 2017-09-06 09:29:03.4892595 +0000 UTC
• wrapping_token_creation_path: secret/weatherapp/config

53. Kubernetes with Vault
• Read Service Account JWT
• App Sends Jwt and Role Name to Vault
• Vault checks the signature of Jwt
• Sends to TokenReviewer API
• Vault sends back valid token for app

54. Token Reviewer in K8s

55. Best Practices or Patterns
• Cache Aside Encryption Key
• Tag version of encryption

56. Cache Aside Encryption Key
• Use Key Vault to Encrypt your Generated AES Key
• For all encryption of your data you can use the AES Key rather than
going back and Key Vault to encrypt
• Allows you to penny pinch KeyVault

57. Tag Version of Encryption Level
• Each Row of your database is tagged with the encryption version
• This allows you when you rotate keys or change encryption level for
example moving to a new Encryption Key to eventual encryption of
data that gets updated or new.

59. New and Updated Data

60. Advantages
• You do not have to go through all the records to re-encrypt them
• Eventual Encryption of all data to new encryption
• Mitigates the risk of all data or updating all records

61. Questions?
• taswar@gmail.com
• @taswarbhatti
• http://taswar.zeytinsoft.com

62. Credits
• For the background
• www.Vecteezy.com