SlideShare a Scribd company logo
1 of 79
Download to read offline
lundi 13 mars 2023
Passbolt
❑ Why passbolt ?
❑ Registration / login
❑ Passbolt introduction
❑ Import keepassxc files
❑ Export to password manager
❑ Extract secret from bach/python script
❑ Use secret from gitlab-ci
GOAL
2
Why passbolt ?
3
❑ For many reason :
⮚ There is many keepassxc file on the drive and this is safer to have a single
access to all secrets (this is more difficult to leave NN6 with all secrets) :
WHY
4
❑ To avoids secret in ANY script (local, gitlab-ci, jenkins, …. )
WHY
5
Registration / login
6
❑ One single URL for all ENENSYS :
⮚ https://passbolt.enensys.com
⮚ https://passbolt.enensys.com/auth/login?redirect=%2Fapp%2Fusers&locale
=fr-FR
URL
7
SIGN IN PROCESS
8
To access to the PASSBOLT appliance, you
must be invited by the admin.
If so, you will receive such email 🡪
SIGN IN PROCESS
9
Fill with a strong passphrase !
Valid
❑ Store the private key preciously inside your local
keepassxc because you will need it if you migrate
your environment to another computer or for
command line !
SIGN IN PROCESS
10
$ cat private2.txt
-----BEGIN PGP PRIVATE KEY BLOCK-----
xcTGBGRKlCgBDADxZFP++5zvD7YLLZakyu3InA1IANazb/XpTvJwGWeXcbNL
aBChr3VPgUYQ1TtAE7R0FlS9oukSP4QQrfV1Crgab33fIar69bvRCZZo0iFZ
s/JEOvqEkY/pGsXQZaoJX91qHP6e5tG71K+e5aC+oHa3Dppdhurnrjk5fCdy
0ccSO64YwAlgdrap+hE1m4rbjkgzER9YXimePLO+hqyJJ3atDwIird0J763b
EDQJ3dIy9zYbWU3eIkwDON9SK1l/DMzFc9gYPpJmCFaxlRTdqtAAeuKPD9BD
kYy/LyywKbVbU7ZH90zgL+OGEV1iFe7x7N1CHWzzIqN5AKpfGAeI6UWL/F4F
3hgau3hJmuJEEz70VM82ll/QKmgoSJJNxejtomJICqT+mD/HM2OW3N7FnZG7
3CbqcvHcl2Y6ov/KF1omd2h4r/HuC3rDBgJS1T3D16P4V9cBsCsnZxcdqd1L
A50xeW2Nws7Vqg7OTJC+8p8MFkxnE9GvxS6Wz0J29dHa1esAEQEAAf4JAwio
6hzUGjUVjeA0MxpBAdSeJczZTUuy3DZ2nwRG6N5XARGasQ3EH4azRpNi2iOM
oZEVwmTFYVE27ZVn4Rds9HSTSk6XHUguuXn3Tin6jpmDH5FlpubxRq23+UOS
HH6o3jhGhtYSRxvHq95vCMg6bS9bGKgyv/cvl8RjoU+Js/mOcw9kVe1KGuTE
Mo4gjmfxSS9MejBCby7Hi3tRwaGFbe9cjK2JeMSmZoDkUPzVyfFcIRamxiKT
C/d2ZoOLzOqQyXPMWQItdhMs+/ULlhLaulrFfoU4TRa8fWz4XSoN1F5Tuc3b
zsj5zrgH4K15p1vTFs4krT3UY9hYSDklIMm2RaFJx7UQaBX9iN2kvnGrOlXc
qZ+/2mSB1c4IoZMUJb2Iz0BW1W2VsKGnJ4lXfBguN1AYdB+HXOjjXMhUaFii
R+guRagxDNLPNLsDIOfd8z6KTAUJ/t+D9lEtU6+wNWz7eUgNiI/rnbIHT2HN
8esH8E29HdCZMJmnTnDZ5Xo8EFw+MuunII4buLUy/WUpO2eMenzS/1h2nxbD
n9O3NRmXJrvxsGmMkADc2LNg4/Bx8g21vZATiFFVKtomRqdhbOW/D0Ro3lfo
qSU5RBNtd9vlwf3V00CifeX4LcqOCLXtd36awtUtTArdkIRBtcVQ5nDVA2qA
(…)
-----END PGP PRIVATE KEY BLOCK-----
SIGN IN PROCESS
11
Valid
SIGN IN PROCESS
12
Valid
SIGN IN PROCESS
13
Not yet in
the RD
group !
SIGN IN PROCESS
14
After the
intégration
of the user
to the rd
group
LOGIN
15
Fill With your passphrase
We are already known
We just need to sign in
https://passbolt.enensys.com/
❑ For an installation on another computer :
(RE)LOGIN
16
❑ You will need to dump your private pgp key file :
(RE)LOGIN
17
❑ Finaly retype your passphrase :
(RE)LOGIN
18
❑ Choose a color :
(RE)LOGIN
19
And that’s all !
Passbolt introduction
20
21
MAIN USER INTERFACE
22
https://medevel.com/passbolt/
TOPBAR
FOLDER
GROUPS
SECRETS
SEARCH BAR
CURRENT USER
ACTION BAR
LISTS
LIST USERS
23
SEARCH A SECRET
24
VIEW A SECRET
25
VIEW A SECRET
26
EDIT
password
SHARE A SECRET
27
EXPORT A SECRET
28
❑ COPY USERNAME TO CLIPBOARD
❑ COPY PASSWORD TO CLIPBOARD
❑ DELETE
❑ COPY PERMALINK TO CLIPBOARD :
https://passbolt.enensys.com/app/passwords/view/818f39c7-bb8e-
441d-851d-2148c0781702
OTHER ACTIONS
29
Import keepassxc files
30
Keepassxc 🡪 export 🡪 CVS file 🡪 import 🡪 Passbolt
Database Menu 🡪 Export 🡪 CVS File …
Export
31
Export
32
"Group","Title","Username","Password","URL","Notes","TOTP","Icon","Last Modified","Created"
"Database/Recycle Bin","postgre password","","y7BSsxFFCXi7cnd3C0tJ","","","","0","2022-12-20T13:10:13Z","2022-12-
20T13:10:03Z"
"Database/Recycle Bin","ESXI labo","root","2duk2cwZ18!","","","","0","2023-01-12T15:32:53Z","2023-01-12T15:32:21Z"
"Database/Recycle Bin","IDRAC","root","Enensys35","https://10.12.2.173","","","0","2023-02-23T07:06:36Z","2023-02-
23T07:05:08Z"
"Database/Recycle Bin","DATAMINER on ESXI-DEMO","enensys","4_DataMiner_2021!_TestTree","10.12.238.33","to connect via
RDP: ordinateur 10.12.238.33","","0","2023-03-16T11:12:08Z","2023-03-16T11:10:31Z"
"Database/Recycle Bin","DATAMINER on ESXI-DEMO","enensys","4_DataMiner_2021!_TestTree","10.12.238.33","To connect via
RDP: ordinateur 10.12.238.33","","0","2023-03-16T10:54:02Z","2023-03-16T10:50:21Z"
"Database/Recycle Bin/srv081","idrac","root","XzRurRuMT68w0i55QWHa","https://srv081-idrac/","","","0","2020-11-
20T14:31:00Z","2020-11-20T14:31:00Z"
"Database/Recycle Bin/srv081","Esxi","root","enensys_35","srv081.enensys.com","","","0","2020-11-20T14:31:00Z","2020-11-
20T14:31:00Z"
"Database/Recycle Bin/Srv200","idrac -
Copy","root","N5mC3VDYsDNSnYs4nuVpqQ2QA","https://srv200.enensys.com/","10.12.2.151","","0","2023-02-
21T16:21:53Z","2023-02-21T16:23:00Z"
"Database/Recycle Bin/Srv200","Centos7 - Copy","root","qArhWbqfFU9Pp27uhHo2ju7CV","10.5.8.180","","","0","2023-02-
21T16:22:11Z","2023-02-21T16:23:00Z"
"Database/Recycle Bin/Srv200","Centos7 - Copy","enensys","JHqohXR2sgKNW7oJdeiJvbspL","","","","0","2023-02-
21T16:20:48Z","2023-02-21T16:23:00Z"
"Database/Recycle Bin/Srv200","ovirt - Copy","admin","ovirt_nn6","10.5.8.180","","","0","2023-02-21T16:22:26Z","2023-02-
21T16:23:00Z"
"Database/Hyperviseurs","srv044","enensys","enensys35","https://10.1.208.4/ui","Download vshpere @10.1.208.4
Mdp ssh idem","","0","2019-04-05T08:51:22Z","2019-04-05T08:50:24Z"
"Database/Hyperviseurs","srv083","root","xHrepPRBEbjSf8xBfSVG","https://srv083/ui/#/login","","","0","2019-04-
05T08:50:57Z","2019-04-05T08:50:42Z"
"Database/Hyperviseurs","srv091","root","OToKjz4jzBkIMUak1iJM","https://srv091/ui/#/login","","","0","2019-04-
05T08:51:59Z","2019-04-05T08:51:36Z"
"Database/Hyperviseurs","srv087","root","kKlu3NdtujXpYwqQ0aba","https://srv087/ui/#/login","","","0","2019-04-
05T08:52:29Z","2019-04-05T08:52:10Z"
"Database/Hyperviseurs/Srv043 - Esxi -
10.12.208.2","https://10.12.208.2/ui","enensys","enensys35","https://10.1.208.2/ui","Download vshpere @10.1.208.2
Mdp ssh idem","","0","2021-01-19T10:20:15Z","2020-11-20T14:30:18Z"
"Database/Hyperviseurs/Srv043 - Esxi - 10.12.208.2","ssh","root","HAvkuviK7W","","","","0","2022-09-16T09:37:12Z","2021-02-
23T14:06:21Z"
"Database/Hyperviseurs/Srv044 - Esxi - 10.12.208.4","https://10.12.208.4/ui -
Copy","enensys","enensys35","https://10.12.208.4/ui","Download vshpere @10.12.208.4
Mdp ssh idem","","0","2021-06-23T10:47:36Z","2020-11-20T14:30:35Z«
(…)
PRIVATE ☺
Import
33
Create folders
34
35
GOOGLE CHROME & MOZILLA
FIREFOX EXTENSIONS
36
❑ Google chrome :
⮚ https://chrome.google.com/webstore/detail/passbolt-open-source-
pass/didegimhafipceonhjepacocaffmoppf
❑ Firefox :
⮚ https://addons.mozilla.org/fr/firefox/addon/passbolt/
❑ https://www.passbolt.com/downloads
❑ https://github.com/passbolt/passbolt_browser_extension
❑ https://help.passbolt.com/faq/start/browser-extensions
37
38
Export to password manager
39
❑ For offline experience without access to the NN6 VPN.
Export
40
Export
41
It will download a file with the keepassxc format
That can be directly opend with that password manager !
Passbolt
42
43
44
45
46
47
48
49
50
51
52
53
Extract secret from bach/python
script
54
❑ For that purpose you will need several items :
❑ The URL of the passbolt instance/server
❑ Your user password
❑ Your user private pgp key saved in a private_key.txt file
55
❑ Website : https://github.com/passbolt/go-passbolt-cli/releases/
GNU/Linux : wget https://github.com/passbolt/go-passbolt-
cli/releases/download/v0.1.9/go-passbolt-cli_0.1.9_linux_amd64.deb
&& sudo ./dpkg -i go-passbolt-cli_0.1.9_linux_amd64.deb
Windows : wget https://github.com/passbolt/go-passbolt-
cli/releases/download/v0.2.0/go-passbolt-cli_0.2.0_Windows_arm64.zip
Mac OS X : wget go-passbolt-cli_0.2.0_Darwin_x86_64.tar.gz
go-passbolt-cli
56
$ passbolt --help
A CLI tool to interact with Passbolt.
Usage:
passbolt [command]
Available Commands:
configure Configure saves the provided global flags to the Config File
create Creates a Passbolt Entity
delete Deletes a Passbolt Entity
export Exports Passbolt Data
get Gets a Passbolt Entity
help Help about any command
list Lists Passbolt Entitys
move Moves a Passbolt Entity
share Shares a Passbolt Entity
update Updates a Passbolt Entity
verify Verify Setup the Server Verification
HELP
57
Flags:
--config string Config File
--debug Enable Debug Logging
-h, --help help for passbolt
--mfaDelay duration Delay between MFA Attempts, only used in
noninteractive modes (default 10s)
--mfaMode string How to Handle MFA, the following Modes
exist: none, interactive-totp and noninteractive-totp (default "interactive-
totp")
--mfaRetrys uint How often to retry TOTP Auth, only used in
nointeractive modes (default 3)
--serverAddress string Passbolt Server Address
(https://passbolt.example.com)
--timeout duration Timeout for the Context (default 1m0s)
--totpOffset duration TOTP Generation offset only used in
noninteractive-totp mode
--totpToken string Token to generate TOTP's, only used in
nointeractive-totp mode
--userPassword string Passbolt User Password
--userPrivateKey string Passbolt User Private Key
--userPrivateKeyFile string Passbolt User Private Key File, if set then
the userPrivateKey will be Overwritten with the File Content
Use "passbolt [command] --help" for more information about a command.
$ passbolt action entity [arguments]
Action is the Action you want to perform like Creating, Updating or Deleting an Entity. Entity is a Resource(Password), Folder, User or Group that
you want to apply an action to.
PASSBOLT(1)
NAME
passbolt - A CLI tool to interact with Passbolt.
SYNOPSIS
passbolt [flags]
DESCRIPTION
A CLI tool to interact with Passbolt.
OPTIONS
--config="" Config File
--debug[=false] Enable Debug Logging
-h, --help[=false] help for passbolt
--mfaDelay=10s Delay between MFA Attempts, only used in noninteractive modes
--mfaMode="interactive-totp" How to Handle MFA, the following Modes exist: none, interactive-totp and
noninteractive-totp
MAN
58
--mfaRetrys=3 How often to retry TOTP Auth, only used in
nointeractive modes
--serverAddress="" Passbolt Server Address
(https://passbolt.example.com)
--timeout=1m0s Timeout for the Context
--totpOffset=0s TOTP Generation offset only used in
noninteractive-totp mode
--totpToken="" Token to generate TOTP's, only used in
nointeractive-totp mode
--userPassword="" Passbolt User Password
--userPrivateKey="" Passbolt User Private Key
--userPrivateKeyFile="" Passbolt User Private Key File, if set then
the userPrivateKey will be Overwritten with the File Content
❑ $ passbolt configure 
--serverAddress https://passbolt.enensys.com 
--userPassword ")/.u#6e*tCU*Z:mC62z%UTX'9[KV5Trge]}z%bc" 
--userPrivateKeyFile ./private_key.txt
$ echo $?
0
❑ This is also possible to inject the private key as variable using the --
userPrivateKey parameter.
Login to passbolt
59
❑ $ passbolt get resource --id 7fffe9c3-0b52-4580-b836-af04779a972a
FolderParentID: 71679db1-bd72-403a-aa72-d6b7145a0208
Name: srv127 - LDAP server
Username: root
URI:
Password: Nxx4f37rLEvM8qWBtDhh
Description: mot de passe admin ldapd7NrZSU2AKidFZ-w3hv
Get secret
60
mypassword
$ passbolt list user
ID | Username | FirstName | LastName | Role 8f2154c9-89ed-4ab0-9630-
701b45fb252e | antonio.dubuisson@enensys.com | Antonio | DUBUISSON | user ccaf58ef-50d6-4db1-8f8f-
d875a8e00107 | benjamin.glaud@enensys.com | Benjamin | GLAUD | user 52300540-9d6a-4433-85e5-
07b5f85a6de4 | bertrand.guinebault@enensys.com | Bertrand | GUINEBAULT | user 0edfaa97-1c00-46d7-a488-
7f73a5f3ae81 | it@enensys.com | IT | Team | admin6e779dbe-e43f-4c62-b3df-
42372c87cde6 | thierry.gayet@enensys.com | Thierry | GAYET | user
List users
61
$ passbolt list resource
ID | FolderParentID | Name | Username | URI
b27b6929-7c88-488b-9c0f-222346dd79ec | a4bc0aca-c42a-48c5-9893-ee8aff8db754 | 10.11.40.201 | root |
25785c44-f90b-4ca7-9d22-1b6321aa62c7 | a4bc0aca-c42a-48c5-9893-ee8aff8db754 | 10.12.13.138 | enensys |
c717623f-f1db-4dae-a9c7-d9904716f6e6 | a4bc0aca-c42a-48c5-9893-ee8aff8db754 | 10.12.2.110 | enensys |
f8fa6a8c-9a3d-4578-ad69-1b7359abfccb | 135d01a7-4b36-4bcf-8b5d-975c38b9f4e4 | accès telnet aux produits modem | root
| 10.5.5.125
9fc49a2b-01c8-47fd-9547-b678fb15d9aa | a2f8b4ae-3755-4443-b934-e4233df0a8f3 | Admin | root |
https://10.12.208.6:8006/#v1:0:18:4::::::
acd95b22-6960-4784-bcd4-6d9355413d73 | 647aaef4-303b-474b-9b1d-e1ecbd7168ab | Admin | root |
ffd9922d-01c8-4adb-b0d0-0762b5fe0e3b | 248e9319-efaf-4bc8-9b48-1981810b16b0 | Agilent Logic Analyzer a-169xxla2 | administrator
|
13dcbc82-922c-43dc-9c5a-0131b9849d74 | 88363d11-8c54-41a8-8204-cc3533d30400 | api_castlabs | azza.jedidi@enensys.com
|
84ef23a2-f7e4-496d-9cdc-61eefc2c3bde | fb7ea891-a703-44d5-a3da-aec07db699ca | CentOS | enensys |
ee29d0d2-a466-41d8-bd13-6bfbeaa3dac1 | fb7ea891-a703-44d5-a3da-aec07db699ca | CentOS | root |
2f57a32e-1548-4321-9381-0a5ed629c6ba | 3f6aa7ad-7cfc-4011-bd3f-f8c274e3fa25 | Centos7 | root |
10.5.8.180
(…)
Dump all secrets
62
Use secret from gitlab-ci
63
❑ User : passbolt.gitlab@enensys.com
(ONLY this user must be used within GITLAB-CI !)
GITLAB
64
I centralize the password and private key ; please ask me for them !
GITLAB (repo setting)
65
You MUST be owner of the git repo
image: ubuntu:latest
stages: # List of stages for jobs, and their order of execution
- build
build-job: # This job runs in the build stage, which runs first.
stage: build
script:
- echo « First stage
- apt update
- apt install wget -y
- wget https://github.com/passbolt/go-passbolt-cli/releases/download/v0.2.0/go-passbolt-cli_0.2.0_linux_amd64.deb
- dpkg -i ./go-passbolt-cli_0.2.0_linux_amd64.deb
- echo $PASSBOLT_URL
- echo $USER_PASSPHRASE
- echo $USER_PRIVATE_KEY_FILE
- passbolt configure --serverAddress $PASSBOLT_URL --userPassword $USER_PASSPHRASE --userPrivateKeyFile $USER_PRIVATE_KEY_FILE
- passbolt get resource --id 7fffe9c3-0b52-4580-b836-af04779a972a
GITLAB-CI.yml
66
https://gitlab.enensys.com/training/devsecops/test-ci/-/ci/editor?branch_name=main
🡪 Just a simple example that show how to extract secret
from a gitlab-ci
67
JENKINS
68
❑ User : passbolt.jenkins@enensys.com
(ONLY this user must be used within JENKINS jobs !)
❑ Jenkins will be usable with the same way as GITLAB !
JENKINS
69
❑ Within jenkins, credentials have been created in order to be able to
extract secrets :
http://jenkins.enensys.com/manage/credentials/store/system/domain/_/
❑ Indeed, passbolt need a password and a private key for extracting ressource from
passbolt.
70
JENKINS
❑ We can update the jenkins file :
(…)
environment
{
PASSBOLT_JENKINS_PASSWORD = credentials('11483a19-5b91-406f-bc6c-81b17952aa67')
PASSBOLT_JENKINS_PRIVATE_KEY = credentials('a649027d-e96c-4d55-aedf-0d5d64d3f38e')
}
(…)
❑ Then, inside a script we can # --- Getting Key from passbolt as file :
@echo "--> Getting certificate from the NN6 passbolt ... "
passbolt configure 
--serverAddress https://passbolt.enensys.com 
--userPassword ${PASSBOLT_JENKINS_PASSWORD} 
--userPrivateKey ${PASSBOLT_JENKINS_PRIVATE_KEY}
KEY_TXT="`passbolt get resource --id ab56dd91-0af4-41f7-8d0c-7f5ce816a796|grep Password|awk '{ print $2 }'`"
@echo ${KEY_TXT} > $(TARGET_DIR)/var/external_resources/key.txt
71
JENKINS
❑ We can check the credential in the jenkins’s console :
72
JENKINS
DEVSECOPS
73
❑ https://blog.passbolt.com/managing-secrets-in-ansible-using-
passbolt-87af031ceab6
❑ https://github.com/passbolt/lab-passbolt-ansible-poc
Ansible
74
MORE HELP
79
❑ https://fosdem.org/2023/schedule/event/passbolt/
❑ https://fosdem.org/2023/schedule/event/passbolt/attachments/slides
/5956/export/events/attachments/passbolt/slides/5956/iloveyou_exe
.pdf
FOSDEM
80
81
❑ https://help.passbolt.com/start/
❑ https://help.passbolt.com/discover/
❑ https://help.passbolt.com/faq/discover/
❑ https://help.passbolt.com/releases/
❑ https://www.passbolt.com/roadmap
❑ https://help.passbolt.com/faq/security/
❑ https://help.passbolt.com/faq/hosting/
❑ https://help.passbolt.com/hosting/install/ce/docker.html
HELP
82
ENENSYS
4A rue des Buttes
CS 37734
35 577 Cesson-Sévigné – France
Phone (+33) 1 70 72 51 70
Email contact@test-tree.com
www.enensys.com
83

More Related Content

Similar to Passbolt Introduction and Usage for secret managment

EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...Jisc
 
FPC for the Masses - CoRIIN 2018
FPC for the Masses - CoRIIN 2018FPC for the Masses - CoRIIN 2018
FPC for the Masses - CoRIIN 2018Xavier Mertens
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemCyber Security Alliance
 
Caching and tuning fun for high scalability @ FrOSCon 2011
Caching and tuning fun for high scalability @ FrOSCon 2011Caching and tuning fun for high scalability @ FrOSCon 2011
Caching and tuning fun for high scalability @ FrOSCon 2011Wim Godden
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiYossi Sassi
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationAnant Shrivastava
 
SecZone 2011: Scrubbing SAP clean with SOAP
SecZone 2011: Scrubbing SAP clean with SOAPSecZone 2011: Scrubbing SAP clean with SOAP
SecZone 2011: Scrubbing SAP clean with SOAPChris John Riley
 
PHP & Performance
PHP & PerformancePHP & Performance
PHP & Performance毅 吕
 
php & performance
 php & performance php & performance
php & performancesimon8410
 
Caching and tuning fun for high scalability
Caching and tuning fun for high scalabilityCaching and tuning fun for high scalability
Caching and tuning fun for high scalabilityWim Godden
 
SAP (in)security: Scrubbing SAP clean with SOAP
SAP (in)security: Scrubbing SAP clean with SOAPSAP (in)security: Scrubbing SAP clean with SOAP
SAP (in)security: Scrubbing SAP clean with SOAPChris John Riley
 
Jump into Squeak - Integrate Squeak projects with Docker & Github
Jump into Squeak - Integrate Squeak projects with Docker & GithubJump into Squeak - Integrate Squeak projects with Docker & Github
Jump into Squeak - Integrate Squeak projects with Docker & Githubhubx
 
Tatu: ssh as a service
Tatu: ssh as a serviceTatu: ssh as a service
Tatu: ssh as a servicePino deCandia
 
FIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE
 
Hardening cassandra q2_2016
Hardening cassandra q2_2016Hardening cassandra q2_2016
Hardening cassandra q2_2016zznate
 
Securing Cassandra for Compliance
Securing Cassandra for ComplianceSecuring Cassandra for Compliance
Securing Cassandra for ComplianceDataStax
 
Reutov, yunusov, nagibin random numbers take ii
Reutov, yunusov, nagibin   random numbers take iiReutov, yunusov, nagibin   random numbers take ii
Reutov, yunusov, nagibin random numbers take iiDefconRussia
 

Similar to Passbolt Introduction and Usage for secret managment (20)

EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
 
FPC for the Masses - CoRIIN 2018
FPC for the Masses - CoRIIN 2018FPC for the Masses - CoRIIN 2018
FPC for the Masses - CoRIIN 2018
 
Memcached Study
Memcached StudyMemcached Study
Memcached Study
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
 
Linux administration ii-parti
Linux administration ii-partiLinux administration ii-parti
Linux administration ii-parti
 
Caching and tuning fun for high scalability @ FrOSCon 2011
Caching and tuning fun for high scalability @ FrOSCon 2011Caching and tuning fun for high scalability @ FrOSCon 2011
Caching and tuning fun for high scalability @ FrOSCon 2011
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web Application
 
SecZone 2011: Scrubbing SAP clean with SOAP
SecZone 2011: Scrubbing SAP clean with SOAPSecZone 2011: Scrubbing SAP clean with SOAP
SecZone 2011: Scrubbing SAP clean with SOAP
 
PHP & Performance
PHP & PerformancePHP & Performance
PHP & Performance
 
php & performance
 php & performance php & performance
php & performance
 
Caching and tuning fun for high scalability
Caching and tuning fun for high scalabilityCaching and tuning fun for high scalability
Caching and tuning fun for high scalability
 
SAP (in)security: Scrubbing SAP clean with SOAP
SAP (in)security: Scrubbing SAP clean with SOAPSAP (in)security: Scrubbing SAP clean with SOAP
SAP (in)security: Scrubbing SAP clean with SOAP
 
Jump into Squeak - Integrate Squeak projects with Docker & Github
Jump into Squeak - Integrate Squeak projects with Docker & GithubJump into Squeak - Integrate Squeak projects with Docker & Github
Jump into Squeak - Integrate Squeak projects with Docker & Github
 
Tatu: ssh as a service
Tatu: ssh as a serviceTatu: ssh as a service
Tatu: ssh as a service
 
FIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT Devices
 
Hardening cassandra q2_2016
Hardening cassandra q2_2016Hardening cassandra q2_2016
Hardening cassandra q2_2016
 
Securing Cassandra for Compliance
Securing Cassandra for ComplianceSecuring Cassandra for Compliance
Securing Cassandra for Compliance
 
Symfony Performance
Symfony PerformanceSymfony Performance
Symfony Performance
 
Reutov, yunusov, nagibin random numbers take ii
Reutov, yunusov, nagibin   random numbers take iiReutov, yunusov, nagibin   random numbers take ii
Reutov, yunusov, nagibin random numbers take ii
 

Recently uploaded

The State of the Green IT at the beginning of 2024
The State of the Green IT at the beginning of 2024The State of the Green IT at the beginning of 2024
The State of the Green IT at the beginning of 2024Artur Skowroński
 
Transform your Corporate Strategy Office - Harness OnePlan’s Strategic Portfo...
Transform your Corporate Strategy Office - Harness OnePlan’s Strategic Portfo...Transform your Corporate Strategy Office - Harness OnePlan’s Strategic Portfo...
Transform your Corporate Strategy Office - Harness OnePlan’s Strategic Portfo...OnePlan Solutions
 
Business Analyzopedia - Your Pocket Gita for Business Analysis
Business Analyzopedia - Your Pocket Gita for Business AnalysisBusiness Analyzopedia - Your Pocket Gita for Business Analysis
Business Analyzopedia - Your Pocket Gita for Business AnalysisDEEPRAJ PATHAK
 
oracle 23c new features for developer and dba
oracle 23c new features for developer and dbaoracle 23c new features for developer and dba
oracle 23c new features for developer and dbaRemote DBA Services
 
Zer0con 2024 final share short version.pdf
Zer0con 2024 final share short version.pdfZer0con 2024 final share short version.pdf
Zer0con 2024 final share short version.pdfmaor17
 
logical backup of Oracle Datapump-detailed.pptx
logical backup of Oracle Datapump-detailed.pptxlogical backup of Oracle Datapump-detailed.pptx
logical backup of Oracle Datapump-detailed.pptxRemote DBA Services
 
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...OnePlan Solutions
 
2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shards2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shardsChristopher Curtin
 
Mastering Project Planning with Microsoft Project 2016.pptx
Mastering Project Planning with Microsoft Project 2016.pptxMastering Project Planning with Microsoft Project 2016.pptx
Mastering Project Planning with Microsoft Project 2016.pptxAS Design & AST.
 
ETE PPT.pdf LMMKLMKLMLKMLLMJKBHJBHBNUIHBU
ETE PPT.pdf LMMKLMKLMLKMLLMJKBHJBHBNUIHBUETE PPT.pdf LMMKLMKLMLKMLLMJKBHJBHBNUIHBU
ETE PPT.pdf LMMKLMKLMLKMLLMJKBHJBHBNUIHBUsamruddhijedgule2004
 
[ CNCF Q1 2024 ] Intro to Continuous Profiling and Grafana Pyroscope.pdf
[ CNCF Q1 2024 ] Intro to Continuous Profiling and Grafana Pyroscope.pdf[ CNCF Q1 2024 ] Intro to Continuous Profiling and Grafana Pyroscope.pdf
[ CNCF Q1 2024 ] Intro to Continuous Profiling and Grafana Pyroscope.pdfSteve Caron
 
Pros and Cons of Selenium In Automation Testing_ A Comprehensive Assessment.pdf
Pros and Cons of Selenium In Automation Testing_ A Comprehensive Assessment.pdfPros and Cons of Selenium In Automation Testing_ A Comprehensive Assessment.pdf
Pros and Cons of Selenium In Automation Testing_ A Comprehensive Assessment.pdfkalichargn70th171
 
SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?Alexandre Beguel
 
AmsterdamJUG April 2024 - Going serverless with Quarkus GraalVM native images...
AmsterdamJUG April 2024 - Going serverless with Quarkus GraalVM native images...AmsterdamJUG April 2024 - Going serverless with Quarkus GraalVM native images...
AmsterdamJUG April 2024 - Going serverless with Quarkus GraalVM native images...Bert Jan Schrijver
 
Santander Stream Processing with Apache Flink
Santander Stream Processing with Apache FlinkSantander Stream Processing with Apache Flink
Santander Stream Processing with Apache Flinkconfluent
 
What’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 UpdatesWhat’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 UpdatesVictoriaMetrics
 
Effort Estimation Techniques used in Software Projects
Effort Estimation Techniques used in Software ProjectsEffort Estimation Techniques used in Software Projects
Effort Estimation Techniques used in Software ProjectsDEEPRAJ PATHAK
 
Understanding Plagiarism: Causes, Consequences and Prevention.pptx
Understanding Plagiarism: Causes, Consequences and Prevention.pptxUnderstanding Plagiarism: Causes, Consequences and Prevention.pptx
Understanding Plagiarism: Causes, Consequences and Prevention.pptxSasikiranMarri
 
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...Bert Jan Schrijver
 
What is Mendix and the concept of low-code development.docx
What is Mendix and the concept of low-code development.docxWhat is Mendix and the concept of low-code development.docx
What is Mendix and the concept of low-code development.docxTechnogeeks
 

Recently uploaded (20)

The State of the Green IT at the beginning of 2024
The State of the Green IT at the beginning of 2024The State of the Green IT at the beginning of 2024
The State of the Green IT at the beginning of 2024
 
Transform your Corporate Strategy Office - Harness OnePlan’s Strategic Portfo...
Transform your Corporate Strategy Office - Harness OnePlan’s Strategic Portfo...Transform your Corporate Strategy Office - Harness OnePlan’s Strategic Portfo...
Transform your Corporate Strategy Office - Harness OnePlan’s Strategic Portfo...
 
Business Analyzopedia - Your Pocket Gita for Business Analysis
Business Analyzopedia - Your Pocket Gita for Business AnalysisBusiness Analyzopedia - Your Pocket Gita for Business Analysis
Business Analyzopedia - Your Pocket Gita for Business Analysis
 
oracle 23c new features for developer and dba
oracle 23c new features for developer and dbaoracle 23c new features for developer and dba
oracle 23c new features for developer and dba
 
Zer0con 2024 final share short version.pdf
Zer0con 2024 final share short version.pdfZer0con 2024 final share short version.pdf
Zer0con 2024 final share short version.pdf
 
logical backup of Oracle Datapump-detailed.pptx
logical backup of Oracle Datapump-detailed.pptxlogical backup of Oracle Datapump-detailed.pptx
logical backup of Oracle Datapump-detailed.pptx
 
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
 
2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shards2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shards
 
Mastering Project Planning with Microsoft Project 2016.pptx
Mastering Project Planning with Microsoft Project 2016.pptxMastering Project Planning with Microsoft Project 2016.pptx
Mastering Project Planning with Microsoft Project 2016.pptx
 
ETE PPT.pdf LMMKLMKLMLKMLLMJKBHJBHBNUIHBU
ETE PPT.pdf LMMKLMKLMLKMLLMJKBHJBHBNUIHBUETE PPT.pdf LMMKLMKLMLKMLLMJKBHJBHBNUIHBU
ETE PPT.pdf LMMKLMKLMLKMLLMJKBHJBHBNUIHBU
 
[ CNCF Q1 2024 ] Intro to Continuous Profiling and Grafana Pyroscope.pdf
[ CNCF Q1 2024 ] Intro to Continuous Profiling and Grafana Pyroscope.pdf[ CNCF Q1 2024 ] Intro to Continuous Profiling and Grafana Pyroscope.pdf
[ CNCF Q1 2024 ] Intro to Continuous Profiling and Grafana Pyroscope.pdf
 
Pros and Cons of Selenium In Automation Testing_ A Comprehensive Assessment.pdf
Pros and Cons of Selenium In Automation Testing_ A Comprehensive Assessment.pdfPros and Cons of Selenium In Automation Testing_ A Comprehensive Assessment.pdf
Pros and Cons of Selenium In Automation Testing_ A Comprehensive Assessment.pdf
 
SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?
 
AmsterdamJUG April 2024 - Going serverless with Quarkus GraalVM native images...
AmsterdamJUG April 2024 - Going serverless with Quarkus GraalVM native images...AmsterdamJUG April 2024 - Going serverless with Quarkus GraalVM native images...
AmsterdamJUG April 2024 - Going serverless with Quarkus GraalVM native images...
 
Santander Stream Processing with Apache Flink
Santander Stream Processing with Apache FlinkSantander Stream Processing with Apache Flink
Santander Stream Processing with Apache Flink
 
What’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 UpdatesWhat’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 Updates
 
Effort Estimation Techniques used in Software Projects
Effort Estimation Techniques used in Software ProjectsEffort Estimation Techniques used in Software Projects
Effort Estimation Techniques used in Software Projects
 
Understanding Plagiarism: Causes, Consequences and Prevention.pptx
Understanding Plagiarism: Causes, Consequences and Prevention.pptxUnderstanding Plagiarism: Causes, Consequences and Prevention.pptx
Understanding Plagiarism: Causes, Consequences and Prevention.pptx
 
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
 
What is Mendix and the concept of low-code development.docx
What is Mendix and the concept of low-code development.docxWhat is Mendix and the concept of low-code development.docx
What is Mendix and the concept of low-code development.docx
 

Passbolt Introduction and Usage for secret managment

  • 1. lundi 13 mars 2023 Passbolt
  • 2. ❑ Why passbolt ? ❑ Registration / login ❑ Passbolt introduction ❑ Import keepassxc files ❑ Export to password manager ❑ Extract secret from bach/python script ❑ Use secret from gitlab-ci GOAL 2
  • 4. ❑ For many reason : ⮚ There is many keepassxc file on the drive and this is safer to have a single access to all secrets (this is more difficult to leave NN6 with all secrets) : WHY 4
  • 5. ❑ To avoids secret in ANY script (local, gitlab-ci, jenkins, …. ) WHY 5
  • 7. ❑ One single URL for all ENENSYS : ⮚ https://passbolt.enensys.com ⮚ https://passbolt.enensys.com/auth/login?redirect=%2Fapp%2Fusers&locale =fr-FR URL 7
  • 8. SIGN IN PROCESS 8 To access to the PASSBOLT appliance, you must be invited by the admin. If so, you will receive such email 🡪
  • 9. SIGN IN PROCESS 9 Fill with a strong passphrase ! Valid
  • 10. ❑ Store the private key preciously inside your local keepassxc because you will need it if you migrate your environment to another computer or for command line ! SIGN IN PROCESS 10 $ cat private2.txt -----BEGIN PGP PRIVATE KEY BLOCK----- xcTGBGRKlCgBDADxZFP++5zvD7YLLZakyu3InA1IANazb/XpTvJwGWeXcbNL aBChr3VPgUYQ1TtAE7R0FlS9oukSP4QQrfV1Crgab33fIar69bvRCZZo0iFZ s/JEOvqEkY/pGsXQZaoJX91qHP6e5tG71K+e5aC+oHa3Dppdhurnrjk5fCdy 0ccSO64YwAlgdrap+hE1m4rbjkgzER9YXimePLO+hqyJJ3atDwIird0J763b EDQJ3dIy9zYbWU3eIkwDON9SK1l/DMzFc9gYPpJmCFaxlRTdqtAAeuKPD9BD kYy/LyywKbVbU7ZH90zgL+OGEV1iFe7x7N1CHWzzIqN5AKpfGAeI6UWL/F4F 3hgau3hJmuJEEz70VM82ll/QKmgoSJJNxejtomJICqT+mD/HM2OW3N7FnZG7 3CbqcvHcl2Y6ov/KF1omd2h4r/HuC3rDBgJS1T3D16P4V9cBsCsnZxcdqd1L A50xeW2Nws7Vqg7OTJC+8p8MFkxnE9GvxS6Wz0J29dHa1esAEQEAAf4JAwio 6hzUGjUVjeA0MxpBAdSeJczZTUuy3DZ2nwRG6N5XARGasQ3EH4azRpNi2iOM oZEVwmTFYVE27ZVn4Rds9HSTSk6XHUguuXn3Tin6jpmDH5FlpubxRq23+UOS HH6o3jhGhtYSRxvHq95vCMg6bS9bGKgyv/cvl8RjoU+Js/mOcw9kVe1KGuTE Mo4gjmfxSS9MejBCby7Hi3tRwaGFbe9cjK2JeMSmZoDkUPzVyfFcIRamxiKT C/d2ZoOLzOqQyXPMWQItdhMs+/ULlhLaulrFfoU4TRa8fWz4XSoN1F5Tuc3b zsj5zrgH4K15p1vTFs4krT3UY9hYSDklIMm2RaFJx7UQaBX9iN2kvnGrOlXc qZ+/2mSB1c4IoZMUJb2Iz0BW1W2VsKGnJ4lXfBguN1AYdB+HXOjjXMhUaFii R+guRagxDNLPNLsDIOfd8z6KTAUJ/t+D9lEtU6+wNWz7eUgNiI/rnbIHT2HN 8esH8E29HdCZMJmnTnDZ5Xo8EFw+MuunII4buLUy/WUpO2eMenzS/1h2nxbD n9O3NRmXJrvxsGmMkADc2LNg4/Bx8g21vZATiFFVKtomRqdhbOW/D0Ro3lfo qSU5RBNtd9vlwf3V00CifeX4LcqOCLXtd36awtUtTArdkIRBtcVQ5nDVA2qA (…) -----END PGP PRIVATE KEY BLOCK-----
  • 13. SIGN IN PROCESS 13 Not yet in the RD group !
  • 14. SIGN IN PROCESS 14 After the intégration of the user to the rd group
  • 15. LOGIN 15 Fill With your passphrase We are already known We just need to sign in https://passbolt.enensys.com/
  • 16. ❑ For an installation on another computer : (RE)LOGIN 16
  • 17. ❑ You will need to dump your private pgp key file : (RE)LOGIN 17
  • 18. ❑ Finaly retype your passphrase : (RE)LOGIN 18
  • 19. ❑ Choose a color : (RE)LOGIN 19 And that’s all !
  • 21. 21
  • 29. ❑ COPY USERNAME TO CLIPBOARD ❑ COPY PASSWORD TO CLIPBOARD ❑ DELETE ❑ COPY PERMALINK TO CLIPBOARD : https://passbolt.enensys.com/app/passwords/view/818f39c7-bb8e- 441d-851d-2148c0781702 OTHER ACTIONS 29
  • 31. Keepassxc 🡪 export 🡪 CVS file 🡪 import 🡪 Passbolt Database Menu 🡪 Export 🡪 CVS File … Export 31
  • 32. Export 32 "Group","Title","Username","Password","URL","Notes","TOTP","Icon","Last Modified","Created" "Database/Recycle Bin","postgre password","","y7BSsxFFCXi7cnd3C0tJ","","","","0","2022-12-20T13:10:13Z","2022-12- 20T13:10:03Z" "Database/Recycle Bin","ESXI labo","root","2duk2cwZ18!","","","","0","2023-01-12T15:32:53Z","2023-01-12T15:32:21Z" "Database/Recycle Bin","IDRAC","root","Enensys35","https://10.12.2.173","","","0","2023-02-23T07:06:36Z","2023-02- 23T07:05:08Z" "Database/Recycle Bin","DATAMINER on ESXI-DEMO","enensys","4_DataMiner_2021!_TestTree","10.12.238.33","to connect via RDP: ordinateur 10.12.238.33","","0","2023-03-16T11:12:08Z","2023-03-16T11:10:31Z" "Database/Recycle Bin","DATAMINER on ESXI-DEMO","enensys","4_DataMiner_2021!_TestTree","10.12.238.33","To connect via RDP: ordinateur 10.12.238.33","","0","2023-03-16T10:54:02Z","2023-03-16T10:50:21Z" "Database/Recycle Bin/srv081","idrac","root","XzRurRuMT68w0i55QWHa","https://srv081-idrac/","","","0","2020-11- 20T14:31:00Z","2020-11-20T14:31:00Z" "Database/Recycle Bin/srv081","Esxi","root","enensys_35","srv081.enensys.com","","","0","2020-11-20T14:31:00Z","2020-11- 20T14:31:00Z" "Database/Recycle Bin/Srv200","idrac - Copy","root","N5mC3VDYsDNSnYs4nuVpqQ2QA","https://srv200.enensys.com/","10.12.2.151","","0","2023-02- 21T16:21:53Z","2023-02-21T16:23:00Z" "Database/Recycle Bin/Srv200","Centos7 - Copy","root","qArhWbqfFU9Pp27uhHo2ju7CV","10.5.8.180","","","0","2023-02- 21T16:22:11Z","2023-02-21T16:23:00Z" "Database/Recycle Bin/Srv200","Centos7 - Copy","enensys","JHqohXR2sgKNW7oJdeiJvbspL","","","","0","2023-02- 21T16:20:48Z","2023-02-21T16:23:00Z" "Database/Recycle Bin/Srv200","ovirt - Copy","admin","ovirt_nn6","10.5.8.180","","","0","2023-02-21T16:22:26Z","2023-02- 21T16:23:00Z" "Database/Hyperviseurs","srv044","enensys","enensys35","https://10.1.208.4/ui","Download vshpere @10.1.208.4 Mdp ssh idem","","0","2019-04-05T08:51:22Z","2019-04-05T08:50:24Z" "Database/Hyperviseurs","srv083","root","xHrepPRBEbjSf8xBfSVG","https://srv083/ui/#/login","","","0","2019-04- 05T08:50:57Z","2019-04-05T08:50:42Z" "Database/Hyperviseurs","srv091","root","OToKjz4jzBkIMUak1iJM","https://srv091/ui/#/login","","","0","2019-04- 05T08:51:59Z","2019-04-05T08:51:36Z" "Database/Hyperviseurs","srv087","root","kKlu3NdtujXpYwqQ0aba","https://srv087/ui/#/login","","","0","2019-04- 05T08:52:29Z","2019-04-05T08:52:10Z" "Database/Hyperviseurs/Srv043 - Esxi - 10.12.208.2","https://10.12.208.2/ui","enensys","enensys35","https://10.1.208.2/ui","Download vshpere @10.1.208.2 Mdp ssh idem","","0","2021-01-19T10:20:15Z","2020-11-20T14:30:18Z" "Database/Hyperviseurs/Srv043 - Esxi - 10.12.208.2","ssh","root","HAvkuviK7W","","","","0","2022-09-16T09:37:12Z","2021-02- 23T14:06:21Z" "Database/Hyperviseurs/Srv044 - Esxi - 10.12.208.4","https://10.12.208.4/ui - Copy","enensys","enensys35","https://10.12.208.4/ui","Download vshpere @10.12.208.4 Mdp ssh idem","","0","2021-06-23T10:47:36Z","2020-11-20T14:30:35Z« (…) PRIVATE ☺
  • 35. 35
  • 36. GOOGLE CHROME & MOZILLA FIREFOX EXTENSIONS 36
  • 37. ❑ Google chrome : ⮚ https://chrome.google.com/webstore/detail/passbolt-open-source- pass/didegimhafipceonhjepacocaffmoppf ❑ Firefox : ⮚ https://addons.mozilla.org/fr/firefox/addon/passbolt/ ❑ https://www.passbolt.com/downloads ❑ https://github.com/passbolt/passbolt_browser_extension ❑ https://help.passbolt.com/faq/start/browser-extensions 37
  • 38. 38
  • 39. Export to password manager 39
  • 40. ❑ For offline experience without access to the NN6 VPN. Export 40
  • 41. Export 41 It will download a file with the keepassxc format That can be directly opend with that password manager !
  • 43. 43
  • 44. 44
  • 45. 45
  • 46. 46
  • 47. 47
  • 48. 48
  • 49. 49
  • 50. 50
  • 51. 51
  • 52. 52
  • 53. 53
  • 54. Extract secret from bach/python script 54
  • 55. ❑ For that purpose you will need several items : ❑ The URL of the passbolt instance/server ❑ Your user password ❑ Your user private pgp key saved in a private_key.txt file 55
  • 56. ❑ Website : https://github.com/passbolt/go-passbolt-cli/releases/ GNU/Linux : wget https://github.com/passbolt/go-passbolt- cli/releases/download/v0.1.9/go-passbolt-cli_0.1.9_linux_amd64.deb && sudo ./dpkg -i go-passbolt-cli_0.1.9_linux_amd64.deb Windows : wget https://github.com/passbolt/go-passbolt- cli/releases/download/v0.2.0/go-passbolt-cli_0.2.0_Windows_arm64.zip Mac OS X : wget go-passbolt-cli_0.2.0_Darwin_x86_64.tar.gz go-passbolt-cli 56
  • 57. $ passbolt --help A CLI tool to interact with Passbolt. Usage: passbolt [command] Available Commands: configure Configure saves the provided global flags to the Config File create Creates a Passbolt Entity delete Deletes a Passbolt Entity export Exports Passbolt Data get Gets a Passbolt Entity help Help about any command list Lists Passbolt Entitys move Moves a Passbolt Entity share Shares a Passbolt Entity update Updates a Passbolt Entity verify Verify Setup the Server Verification HELP 57 Flags: --config string Config File --debug Enable Debug Logging -h, --help help for passbolt --mfaDelay duration Delay between MFA Attempts, only used in noninteractive modes (default 10s) --mfaMode string How to Handle MFA, the following Modes exist: none, interactive-totp and noninteractive-totp (default "interactive- totp") --mfaRetrys uint How often to retry TOTP Auth, only used in nointeractive modes (default 3) --serverAddress string Passbolt Server Address (https://passbolt.example.com) --timeout duration Timeout for the Context (default 1m0s) --totpOffset duration TOTP Generation offset only used in noninteractive-totp mode --totpToken string Token to generate TOTP's, only used in nointeractive-totp mode --userPassword string Passbolt User Password --userPrivateKey string Passbolt User Private Key --userPrivateKeyFile string Passbolt User Private Key File, if set then the userPrivateKey will be Overwritten with the File Content Use "passbolt [command] --help" for more information about a command. $ passbolt action entity [arguments] Action is the Action you want to perform like Creating, Updating or Deleting an Entity. Entity is a Resource(Password), Folder, User or Group that you want to apply an action to.
  • 58. PASSBOLT(1) NAME passbolt - A CLI tool to interact with Passbolt. SYNOPSIS passbolt [flags] DESCRIPTION A CLI tool to interact with Passbolt. OPTIONS --config="" Config File --debug[=false] Enable Debug Logging -h, --help[=false] help for passbolt --mfaDelay=10s Delay between MFA Attempts, only used in noninteractive modes --mfaMode="interactive-totp" How to Handle MFA, the following Modes exist: none, interactive-totp and noninteractive-totp MAN 58 --mfaRetrys=3 How often to retry TOTP Auth, only used in nointeractive modes --serverAddress="" Passbolt Server Address (https://passbolt.example.com) --timeout=1m0s Timeout for the Context --totpOffset=0s TOTP Generation offset only used in noninteractive-totp mode --totpToken="" Token to generate TOTP's, only used in nointeractive-totp mode --userPassword="" Passbolt User Password --userPrivateKey="" Passbolt User Private Key --userPrivateKeyFile="" Passbolt User Private Key File, if set then the userPrivateKey will be Overwritten with the File Content
  • 59. ❑ $ passbolt configure --serverAddress https://passbolt.enensys.com --userPassword ")/.u#6e*tCU*Z:mC62z%UTX'9[KV5Trge]}z%bc" --userPrivateKeyFile ./private_key.txt $ echo $? 0 ❑ This is also possible to inject the private key as variable using the -- userPrivateKey parameter. Login to passbolt 59
  • 60. ❑ $ passbolt get resource --id 7fffe9c3-0b52-4580-b836-af04779a972a FolderParentID: 71679db1-bd72-403a-aa72-d6b7145a0208 Name: srv127 - LDAP server Username: root URI: Password: Nxx4f37rLEvM8qWBtDhh Description: mot de passe admin ldapd7NrZSU2AKidFZ-w3hv Get secret 60 mypassword
  • 61. $ passbolt list user ID | Username | FirstName | LastName | Role 8f2154c9-89ed-4ab0-9630- 701b45fb252e | antonio.dubuisson@enensys.com | Antonio | DUBUISSON | user ccaf58ef-50d6-4db1-8f8f- d875a8e00107 | benjamin.glaud@enensys.com | Benjamin | GLAUD | user 52300540-9d6a-4433-85e5- 07b5f85a6de4 | bertrand.guinebault@enensys.com | Bertrand | GUINEBAULT | user 0edfaa97-1c00-46d7-a488- 7f73a5f3ae81 | it@enensys.com | IT | Team | admin6e779dbe-e43f-4c62-b3df- 42372c87cde6 | thierry.gayet@enensys.com | Thierry | GAYET | user List users 61
  • 62. $ passbolt list resource ID | FolderParentID | Name | Username | URI b27b6929-7c88-488b-9c0f-222346dd79ec | a4bc0aca-c42a-48c5-9893-ee8aff8db754 | 10.11.40.201 | root | 25785c44-f90b-4ca7-9d22-1b6321aa62c7 | a4bc0aca-c42a-48c5-9893-ee8aff8db754 | 10.12.13.138 | enensys | c717623f-f1db-4dae-a9c7-d9904716f6e6 | a4bc0aca-c42a-48c5-9893-ee8aff8db754 | 10.12.2.110 | enensys | f8fa6a8c-9a3d-4578-ad69-1b7359abfccb | 135d01a7-4b36-4bcf-8b5d-975c38b9f4e4 | accès telnet aux produits modem | root | 10.5.5.125 9fc49a2b-01c8-47fd-9547-b678fb15d9aa | a2f8b4ae-3755-4443-b934-e4233df0a8f3 | Admin | root | https://10.12.208.6:8006/#v1:0:18:4:::::: acd95b22-6960-4784-bcd4-6d9355413d73 | 647aaef4-303b-474b-9b1d-e1ecbd7168ab | Admin | root | ffd9922d-01c8-4adb-b0d0-0762b5fe0e3b | 248e9319-efaf-4bc8-9b48-1981810b16b0 | Agilent Logic Analyzer a-169xxla2 | administrator | 13dcbc82-922c-43dc-9c5a-0131b9849d74 | 88363d11-8c54-41a8-8204-cc3533d30400 | api_castlabs | azza.jedidi@enensys.com | 84ef23a2-f7e4-496d-9cdc-61eefc2c3bde | fb7ea891-a703-44d5-a3da-aec07db699ca | CentOS | enensys | ee29d0d2-a466-41d8-bd13-6bfbeaa3dac1 | fb7ea891-a703-44d5-a3da-aec07db699ca | CentOS | root | 2f57a32e-1548-4321-9381-0a5ed629c6ba | 3f6aa7ad-7cfc-4011-bd3f-f8c274e3fa25 | Centos7 | root | 10.5.8.180 (…) Dump all secrets 62
  • 63. Use secret from gitlab-ci 63
  • 64. ❑ User : passbolt.gitlab@enensys.com (ONLY this user must be used within GITLAB-CI !) GITLAB 64 I centralize the password and private key ; please ask me for them !
  • 65. GITLAB (repo setting) 65 You MUST be owner of the git repo
  • 66. image: ubuntu:latest stages: # List of stages for jobs, and their order of execution - build build-job: # This job runs in the build stage, which runs first. stage: build script: - echo « First stage - apt update - apt install wget -y - wget https://github.com/passbolt/go-passbolt-cli/releases/download/v0.2.0/go-passbolt-cli_0.2.0_linux_amd64.deb - dpkg -i ./go-passbolt-cli_0.2.0_linux_amd64.deb - echo $PASSBOLT_URL - echo $USER_PASSPHRASE - echo $USER_PRIVATE_KEY_FILE - passbolt configure --serverAddress $PASSBOLT_URL --userPassword $USER_PASSPHRASE --userPrivateKeyFile $USER_PRIVATE_KEY_FILE - passbolt get resource --id 7fffe9c3-0b52-4580-b836-af04779a972a GITLAB-CI.yml 66 https://gitlab.enensys.com/training/devsecops/test-ci/-/ci/editor?branch_name=main 🡪 Just a simple example that show how to extract secret from a gitlab-ci
  • 67. 67
  • 69. ❑ User : passbolt.jenkins@enensys.com (ONLY this user must be used within JENKINS jobs !) ❑ Jenkins will be usable with the same way as GITLAB ! JENKINS 69
  • 70. ❑ Within jenkins, credentials have been created in order to be able to extract secrets : http://jenkins.enensys.com/manage/credentials/store/system/domain/_/ ❑ Indeed, passbolt need a password and a private key for extracting ressource from passbolt. 70 JENKINS
  • 71. ❑ We can update the jenkins file : (…) environment { PASSBOLT_JENKINS_PASSWORD = credentials('11483a19-5b91-406f-bc6c-81b17952aa67') PASSBOLT_JENKINS_PRIVATE_KEY = credentials('a649027d-e96c-4d55-aedf-0d5d64d3f38e') } (…) ❑ Then, inside a script we can # --- Getting Key from passbolt as file : @echo "--> Getting certificate from the NN6 passbolt ... " passbolt configure --serverAddress https://passbolt.enensys.com --userPassword ${PASSBOLT_JENKINS_PASSWORD} --userPrivateKey ${PASSBOLT_JENKINS_PRIVATE_KEY} KEY_TXT="`passbolt get resource --id ab56dd91-0af4-41f7-8d0c-7f5ce816a796|grep Password|awk '{ print $2 }'`" @echo ${KEY_TXT} > $(TARGET_DIR)/var/external_resources/key.txt 71 JENKINS
  • 72. ❑ We can check the credential in the jenkins’s console : 72 JENKINS
  • 77. 81
  • 78. ❑ https://help.passbolt.com/start/ ❑ https://help.passbolt.com/discover/ ❑ https://help.passbolt.com/faq/discover/ ❑ https://help.passbolt.com/releases/ ❑ https://www.passbolt.com/roadmap ❑ https://help.passbolt.com/faq/security/ ❑ https://help.passbolt.com/faq/hosting/ ❑ https://help.passbolt.com/hosting/install/ce/docker.html HELP 82
  • 79. ENENSYS 4A rue des Buttes CS 37734 35 577 Cesson-Sévigné – France Phone (+33) 1 70 72 51 70 Email contact@test-tree.com www.enensys.com 83