Secrets are secrets. Please, maintain keep them.

S E C R E T S
A R E
S E C R E T S .
P L E A S E ,
M A I N T A I N
K E E P
T H E M ! .

 A L E X S O T O B - L O R D O F T H E J A R S . C O M
 alexsotob  lordofthejars

Q U E S T I O N S

W H O
E N C R Y P T
P A S S W O R D S
I N
R E S O U R C E
F I L E S ?

<<ResourceResource idid==”myds””myds” typetype==”DataSource””DataSource”>>
JdbcDriver = org.hsqldb.jdbc.JDBCDriver JdbcDriver = org.hsqldb.jdbc.JDBCDriver
JdbcUrl = jdbc:hsqldb:mem:my-datasource JdbcUrl = jdbc:hsqldb:mem:my-datasource
Username = SA Username = SA
Password = SA Password = SA
</</ResourceResource>>
A P A C H E
T O M E E
R E S O U R C E S

<<ResourceResource idid==”myds””myds” typetype==”DataSource””DataSource”>>
JdbcDriver = org.hsqldb.jdbc.JDBCDriver JdbcDriver = org.hsqldb.jdbc.JDBCDriver
JdbcUrl = jdbc:hsqldb:mem:my-datasource JdbcUrl = jdbc:hsqldb:mem:my-datasource
Username = SA Username = SA
Password = xMH5uM1V9vQzVUv5LG7YLA== Password = xMH5uM1V9vQzVUv5LG7YLA==
PasswordCipher = AES PasswordCipher = AES
<<ResourceResource idid==”myresource””myresource” class-nameclass-name==""org.superbiz.VaultGatewayorg.superbiz.VaultGateway"">>
//..... //.....
VaultPassword = cipher:AES:xMH5uM1V9vQzVUv5LG7YLA== VaultPassword = cipher:AES:xMH5uM1V9vQzVUv5LG7YLA==
A P A C H E
T O M E E
R E S O U R C E S

publicpublic AESPasswordCipherAESPasswordCipher(()) {{
thisthis..key key == readKeyFromDiskreadKeyFromDisk(());;
thisthis..secretKey secretKey == newnew SecretKeySpecSecretKeySpec((keykey,, "AES""AES"));;
}}
publicpublic String String decryptdecrypt((charchar[[]] chars chars)) {{
Cipher cipher Cipher cipher == Cipher Cipher..getInstancegetInstance(("AES""AES"));;
cipher cipher..initinit((CipherCipher..DECRYPT_MODEDECRYPT_MODE,, secretKey secretKey));;

byte byte[[]] raw raw == Base64 Base64..getDecodergetDecoder(())..decodedecode((toByteArraytoByteArray((charschars))));;
byte byte[[]] stringBytes stringBytes == cipher cipher..doFinaldoFinal((rawraw));;
String clearText String clearText == newnew StringString((stringBytesstringBytes,, "UTF8""UTF8"));;
returnreturn clearText clearText;;
}}
publicpublic char char[[]] encryptencrypt((String sString s)) {{}}
I M P L E M E N T A T I O N

C H I C K E N - E G G
P R O B L E M

M O N O L I T H
A R C H I T E C T U R E

M I C R O S E R V I C E S
A R C H I T E C T U R E ?

https://vaultproject.io/
A
T O O L
F O R
M A N A G I N G
S E C R E T S

V A U L T
F E A T U R E S
Secure
Secret
Storage

V A U L T
F E A T U R E S
Secure
Secret
Storage
Dynamic
Secrets

V A U L T
F E A T U R E S
Secure
Secret
Storage
Dynamic
Secrets
Data
Encryption

V A U L T
F E A T U R E S
Secure
Secret
Storage
Dynamic
Secrets
Data
Encryption
Leasing,
Renewing,
Revocation

V A U L T
F E A T U R E S
Secure
Secret
Storage
Dynamic
Secrets
Data
Encryption
Leasing,
Renewing,
Revocation
Auditing

V A U L T
F E A T U R E S
Secure
Secret
Storage
Dynamic
Secrets
Data
Encryption
Leasing,
Renewing,
Revocation
Auditing
ACL

V A U L T
F E A T U R E S
Secure
Secret
Storage
Dynamic
Secrets
Data
Encryption
Leasing,
Renewing,
Revocation
Auditing
ACL
Multiple
Authentication
Methods

V A U L T
F E A T U R E S
Secure
Secret
Storage
Dynamic
Secrets
Data
Encryption
Leasing,
Renewing,
Revocation
Auditing
ACL
Multiple
Authentication
Methods
 REST API

S E C U R E
S E C R E T
S T O R A G E

L E T ' S
S E E
I N
A C T I O N

M I C R O S E R V I C E S
A P P R O A C H

N E E D
Y O U R
H E L P

A P P
I D
Random
Unique
Chunk

A P P
I D
Random
Unique
Chunk
Unique
to
Application
(aka
Service)

A P P
I D
Random
Unique
Chunk
Unique
to
Application
(aka
Service)
Generated
by
Operator

A P P
I D
Random
Unique
Chunk
Unique
to
Application
(aka
Service)
Generated
by
Operator
Stored
in
Configuration
Management

U S E R
I D
Intrinsic
Properties

U S E R
I D
Intrinsic
Properties
Unique
to
Instance

U S E R
I D
Intrinsic
Properties
Unique
to
Instance
Generated
by
Cloud
Init
Script

login
E A C H
S E R V I C E
W I T H
T U P L E

{ A P P I D ,
U S E R I D }

E X A M P L E
W I T H
D O C K E R

C U B B Y H O L E
A U T H E N T I C A T I O N
M E T H O D

C U B B Y H O L E
temp
Token
with
TTL
and
Limits

C U B B Y H O L E
temp
Token
with
TTL
and
Limits
perm
Token
to
access
real
data

C U B B Y H O L E
temp
Token
with
TTL
and
Limits
perm
Token
to
access
real
data
Generated
by
Cloud
Init
Script

$$>> vault token vault token--create create --useuse--limitlimit==33
$$>> vault auth vault auth ...... #First usage #First usage
$$>> vault write cubbyhole vault write cubbyhole//service11 tokenservice11 token==...... #Second usage #Second usage
$$>> vault read cubbyhole vault read cubbyhole//service11 #Third usageservice11 #Third usage
$$>> vault read cubbyhole vault read cubbyhole//service11service11
Error reading cubbyholeError reading cubbyhole//tokentoken:: Error making API request Error making API request..
URLURL:: GET http GET http::////127.0127.0..0.10.1::82008200//v1v1//cubbyholecubbyhole//tokentoken
CodeCode:: 403403.. Errors Errors::
C L I

L E T ' S
W I N D

D O W N

V A U L T
I S
A
S E R V I C E

T H E R E
I S
N O
S I L V E R
B U L L E T


@alexsotob

asotobu@gmail.com

Secrets are secrets. Please, maintain keep them.

Recommended

Recommended

More Related Content

More from Alex Soto

More from Alex Soto (20)

Recently uploaded

Recently uploaded (20)

Secrets are secrets. Please, maintain keep them.