Introduction of using Hashicorp Vault with your NodeJS Application. How to store your secrets when using a cloud application in nodejs. Meetup in Austin Texas May 2019 (https://www.meetup.com/austinnodejs/events/srwjzqyzhbtb/)

1. Using vault for your NodeJS Secrets
Taswar Bhatti – System/Solutions Architect
Gemalto / Thales

2. Secrets
•

3. About me
• Taswar Bhatti (Microsoft MVP)
• @taswarbhatti
• http://taswar.zeytinsoft.com
• Gemalto / Thales (System Solutions Architect)
• I know Kung Fu Languages)

4. In Canada, Ottawa

5. What are secrets?
• So what are secrets????

6. Craving of 3 am Tacos Secrets

7. So what are secrets?
• Secrets grants you AuthN or AuthZ to a system
• Examples
• Username & Passwords
• Database credentials
• API Token
• TLS Certs

8. Secrets allows you to enter

9. Today’s Secret Sprawl
• Secrets ends up in
• Source Code
• Version Control Systems (Github, Gitlab, Bitbucket etc)
• Configuration Management (Chef, Puppet, Ansible etc)

10. Issues
• How do we know who has access to those secrets
• When was the last time they accessed it?
• What if we want to change/rotate the secrets

11. Desire secrets
• Encryption in rest and transit
• Only decrypted in memory
• Access control
• Rotation & Revocation

12. Secure Secrets
• AES 256 with GCM encryption
• TLS 1.2 for clients
• No HSM is required

13. Secret Management - Vault
• Centralized Secret Management
• Encrypted at rest and transit
• Lease and Renewal
• ACL
• Audit Trail
• Multiple Client Auth Method (Ldap,Github, approle)
• Dynamic Secrets
• Encryption as a Service

14. Dynamic Secrets
• Allows one to lease a secret for a period of time e.g 2 hrs
• Generates on demand and unique for each user/consumption
• Audit trail
• E.g. database connection strings as dynamic secrets

15. Unsealing the Vault
• Vault requires encryption keys to encrypt data
• Shamir Secret Key Sharing
• Master key is split into multiple keys

16. Shamir Secret Sharing

17. Unseal
• Unseal Key 1: QZdnKsOyGXaWoB2viLBBWLlIpU+tQrQy49D+Mq24/V0B
• Unseal Key 2: 1pxViFucRZDJ+kpXAeefepdmLwU6QpsFZwseOIPqaPAC
• Unseal Key 3: bw+yIvxrXR5k8VoLqS5NGW4bjuZym2usm/PvCAaMh8UD
• Unseal Key 4: o40xl6lcQo8+DgTQ0QJxkw0BgS5n6XHNtWOgBbt7LKYE
• Unseal Key 5: Gh7WPQ6rWgGTBRSMecuj8PR8IM0vMIFkSZtRNT4dw5MF
• Initial Root Token: 5b781ff4-eee8-d6a1-ea42-88428a7e8815
• Vault initialized with 5 keys and a key threshold of 3. Please
• securely distribute the above keys. When the Vault is re-sealed,
• restarted, or stopped, you must provide at least 3 of these keys
• to unseal it again.
• Vault does not store the master key. Without at least 3 keys,
• your Vault will remain permanently sealed.

18. How to unseal
• vault unseal -address=${VAULT_ADDR}
QZdnKsOyGXaWoB2viLBBWLlIpU+tQrQy49D+Mq24/V0B
• vault unseal -address=${VAULT_ADDR}
bw+yIvxrXR5k8VoLqS5NGW4bjuZym2usm/PvCAaMh8UD
• vault unseal -address=${VAULT_ADDR}
Gh7WPQ6rWgGTBRSMecuj8PR8IM0vMIFkSZtRNT4dw5MF

20. Writing Secrets as Key Vaulue
• vault kv put secret/hello value=world
• vault kv get secret/hello
• vault kv delete secret/hello

22. Policy on secrets
• We can assign application roles to the policy
path "secret/web/*" {
policy = "read"
}
• vault policy write -address=${VAULT_ADDR}
web-policy ${DIR}/web-policy.hcl

23. Reading secrets based on policy
• vault read -address=${VAULT_ADDR} secret/web/web-apps
• vault read -address=${VAULT_ADDR} secret/hello
• Error reading secret/hello: Error making API request.
• URL: GET http://127.0.0.1:8200/v1/secret/hello
• Code: 403. Errors:
• * permission denied

24. Docker Environment VAR
• Issues with env variables
• var apiKey = process.env.apiKey
• sudo docker run -d -t -i -e APIKEY=‘1234'
-e POSTGRES_ENV_POSTGRES_PASSWORD='foo'

26. Mount Temp File System into App
• docker run –v /hostsecerts:/secerts ….
• To mitigate reading from Env
• Store your wrap token in the filesystem to use with vault
• Have limit time on wrap token

27. Wrap Token for App Secrets
• Limit time token
• Used to unwrap some secrets
• vault read -wrap-ttl=60s -address=http://127.0.0.1:8200
secret/weatherapp/config
• Key Value
• --- -----
• wrapping_token: 35093b2a-60d4-224d-5f16-b802c82de1e7
• wrapping_token_ttl: 1m0s
• wrapping_token_creation_time: 2017-09-06 09:29:03.4892595 +0000 UTC
• wrapping_token_creation_path: secret/weatherapp/config

28. App Roles
• Allows machines or apps to authenticate with Vault
• Using a role_id and secret_id as credentials
• Assign polices to the app
• Once logged in you get back a token to get secrets

29. Kubernetes with Vault
• Read Service Account JWT
• App Sends Jwt and Role Name to Vault
• Vault checks the signature of Jwt
• Sends to TokenReviewer API
• Vault sends back valid token for app

31. Thankyou
• Contact me (taswar@gmail.com)
• @taswarbhatti