SlideShare ist ein Scribd-Unternehmen logo

Manage distributed configuration and secrets with spring cloud and vault (Spring I/O 2017)

Andreas Falk
Andreas Falk

This document discusses managing distributed configuration and secrets with Spring Cloud and Vault. It introduces Spring Cloud Config for managing external configuration in distributed systems. Sensitive data like passwords are typically stored in application properties, exposing them to risk. Spring Cloud Config and Vault can encrypt these values. Vault is presented as a tool for secret storage and access control. It discusses authentication methods and secret backends. The document demonstrates integrating Spring Cloud and Vault to provide encrypted configuration values and automatically rotating secrets like database credentials.

Technologie
1 von 47
Downloaden Sie, um offline zu lesen
MANAGE DISTRIBUTED CONFIGURATION AND SECRETS WITH SPRING CLOUD AND VAULT Andreas Falk Friday 19th May, 2017 1
ANDREAS FALK http://www.novatec-gmbh.de andreas.falk@novatec-gmbh.de @NT_AQE, @andifalk 2
AGENDA 3
4
A6: SENSITIVE DATA EXPOSURE https://github.com/OWASP/Top10 5
TYPICAL SENSITIVE DATA PASSWORDS DATABASE CREDENTIALS OAUTH2 CLIENT SECRETS ENCRYPTION KEYS SENSITIVE USER DATA CREDIT CARD NUMBERS 6
APPLICATION PROPERTIES DATABASE ACCESS CREDENTIALS spring.datasource.url=jdbc:postgresql://localhost/test spring.datasource.username=root spring.datasource.password=mysupersecretpassword 7
SPRING CLOUD CONFIG https://cloud.spring.io/spring-cloud-con g 8 . 1
SPRING CLOUD CONFIG Externalized con guration in a distributed system HTTP, resource-based API Supports property le and YAML formats Encrypt and decrypt property values https://cloud.spring.io/spring-cloud-con g 8 . 2
8 . 3
GRADLE DEPENDENCIES ext { springCloudVersion = 'Dalston.RELEASE' } dependencies { compile('org.springframework.cloud: spring-cloud-config-server') } dependencyManagement { imports { mavenBom "org.springframework.cloud: spring-cloud-dependencies:${springCloudVersion}" } } 8 . 4
SPRING CLOUD CONFIG SERVER JUST ONE ADDITIONAL ANNOTATION @EnableConfigServer @SpringBootApplication public class ConfigServerApplication { public static void main(String[] args) { SpringApplication.run( ConfigServerApplication.class, args); } } 8 . 5
SPRING CLOUD CONFIG SERVER CONFIGURATION spring.cloud.config.server.git.uri= https://github.com/andifalk/cloud-config-repository server.port=8888 security.basic.enabled=true security.user.name=admin security.user.password=secret 8 . 6
SPRING CLOUD CONFIG ENCRYPTION AND DECRYPTION https://cloud.spring.io/spring-cloud-static/Dalston.RELEASE/#_security 9 . 1
SPRING CLOUD CONFIG SERVER SYMMETRIC KEY CONFIGURATION encrypt.key=MyVerySecureEncryptionKey 9 . 2
SPRING CLOUD CONFIG SERVER ASYMMETRIC KEY CONFIGURATION encrypt.key-store.location=classpath:configserver.jks encrypt.key-store.alias=configserver encrypt.key-store.password=secret encrypt.key-store.secret=secret 9 . 3
SPRING CLOUD CONFIG SERVER ENCRYPTING DATA $ curl -u admin:secret -d test http://localhost:8888/encrypt AQAx/RH8tiJj9V43l4dwAxhh0bXGPYa2UjRGOM8s5z2EmCXWRU5DLPzxGptF08nEo kE+BfZPm4A3vco3volhWdYQcCAFguX+6LOvoxewv5AyfkIt1E0bTc7sa4wSSeBGG4 SZ1K/nkto4e6jH+5tktLiPpXoABzvy3YsAgXZ6j5zUM320cWEd4QBSoB0mYP5Kfsq EFbFEUBm2wMyUSFB4/NXn5apn8KZ2c2WTAj/jZlrg/jI4Sz094zDzRaM+iZuqHjaU xVng+3dTsz9DQ9rhfWFllmrtUyoKwgNWLuegV6neDsHGdz7F1bucvJ2CzEZb3tp76 K2RrP0m9KPesTZMtbUH2/g9uUDORh/95P1s+dRt0QznwlXshtnb8Hu3i7GdkmA= 9 . 4
SPRING CLOUD CONFIG SERVER DECRYPTING DATA $ curl localhost:8888/decrypt -u admin:secret -d AQAx/RH8tiJj9V43l4 dwAxhh0bXGPYa2UjRGOM8s5z2EmCXWRU5DLPzxGptF08nEokE+BfZPm4A3vco3vol hWdYQcCAFguX+6LOvoxewv5AyfkIt1E0bTc7sa4wSSeBGG4SZ1K/nkto4e6jH+5tk tLiPpXoABzvy3YsAgXZ6j5zUM320cWEd4QBSoB0mYP5KfsqEFbFEUBm2wMyUSFB4/ NXn5apn8KZ2c2WTAj/jZlrg/jI4Sz094zDzRaM+iZuqHjaUxVng+3dTsz9DQ9rhfW FllmrtUyoKwgNWLuegV6neDsHGdz7F1bucvJ2CzEZb3tp76K2RrP0m9KPesTZMtbU H2/g9uUDORh/95P1s+dRt0QznwlXshtnb8Hu3i7GdkmA= test 9 . 5
SPRING CLOUD CONFIG SERVER ENCRYPTED SENSITIVE PROPERTY VALUES secretkey={cipher}AQBcFzU3gDVVdj0P2uX/60LzeFqQi8Bo2sCTOiiMSe+w Yq4f0smM8HES0TKesr8Nms+EqgV5t9Rld7PGALjVUAAfHjAf6WS1yYz3K+ NvXrgu8umjOyRDxfKBh5OH2jvYX+EiKv/JgwDeUg3TXnTnsheh3Mim0dSu fkojbBlWxO8HsfW5z1qG9tLSlHnWvtcpIGLdRAUwfcKw+/1SViuYxwi/p9 H+J/SOomr4hjjnCuaFITa0zfQc4XTLOrGxW64dhghDvCgu3BxMe0TRaBci Ugkqka4zgBmzge0kw7r82b84GELmDGpjDp7HRUB+cVHqzZXuQzQB9vCjq1 xI19e6ZQm62DkOxaqtafGxqw+VmyFl1+XYEs1k2lWkiUMVyJyiixI= 9 . 6
DEMO 9 . 7
VAULT 10 . 1
KEY MANAGEMENT 10 . 2
SECRET STORAGE KEY REVOCATION KEY ROLLING AUDIT LOGS https://www.vaultproject.io/ 10 . 3
10 . 4
SECRET STORAGE ENCRYPTION (AES CYPHER) DYNAMIC SECRETS ACCESS CONTROL POLICIES LEASE TIME (AUTOMATIC REVOCATION) 10 . 5
AUDIT LOGS NOT ACTIVE BY DEFAULT SENSITIVE DATA HASHED (HMAC-SHA256) TARGETS: FILE, SYSLOG, SOCKET ... ,"path":"secret/hello","data":null,"remote_address":"127.0.0.1" ,"wrap_ttl":0,"headers":{}},"response":{"secret":{"lease_id":""} ,"data":{"value":"hmac-sha256:213d0d2572fe27ffd0cd2d97cf009c2d0 2e97b5af3f81b9af41f593982ffae8c"}},"error":""} 10 . 6
AUTHENTICATION TOKEN (DEFAULT) APPID APPROLE TLS CLIENT CERTIFICATE AWS, GITHUB, ... 10 . 7
ROTATE, REPAIR, REPAVE JUSTIN SMITH (PIVOTAL) 10 . 8
SECRET BACKENDS GETTING DYNAMIC CREDENTIALS (WITH LEASE TIME) AWS CONSUL MONGODB DATABASES (MYSQL, POSTGRESQL, CASSANDRA) RABBITMQ, AND MANY MORE... 10 . 9
10 . 10
START VAULT SERVER memory.conf $ vault server -config=./memory.conf storage "inmem" { } listener "tcp" { address = "127.0.0.1:8200" tls_disable = 1 } disable_mlock = true 10 . 11
10 . 12
INITIALIZE VAULT SERVER $ vault init -key-shares=5 -key-threshold=2 Unseal Key 1: v236b4yJQDnaJ3EmkOhycZTcxTJfMbNeILqxWfRpzGn0 Unseal Key 2: g1tV/d4vp7VVbOu93aHrHZt41xE5YtX7yYBsFMIXGHCf Unseal Key 3: rAI5FwrVF8XFUD7BOtTer9bL4A39HxHhnXQo85uSyphf Unseal Key 4: kDSWhVhz8ElKG6Rad51Hw9lv8i6bTHdEdE71vq3sHoE0 Unseal Key 5: 4KUY7CS+UBi5lxlwpCRY+sWXdPFDp68rX2F6bTxT0nHF Initial Root Token: 68a80410-e315-fc39-d1ad-9864e169a47f Please securely distribute the above keys. When the vault is re-sealed, restarted, or stopped, you must provide at least 2 of these keys to unseal it again. Vault does not store the master key. Without at least 2 keys, your vault will remain permanently sealed. 10 . 13
UNSEAL VAULT SERVER $ vault unseal v236b4yJQDnaJ3EmkOhycZTcxTJfMbNeILqxWfRpzGn0 Sealed: true Key Shares: 5 Key Threshold: 2 Unseal Progress: 1 Unseal Nonce: 3a7f80b8-9aa4-2338-8a0a-0295331962d7 $ vault unseal rAI5FwrVF8XFUD7BOtTer9bL4A39HxHhnXQo85uSyphf Sealed: false Key Shares: 5 Key Threshold: 2 Unseal Progress: 0 Unseal Nonce: 10 . 14
AUTHENTICATE WITH VAULT SERVER $ vault auth 68a80410-e315-fc39-d1ad-9864e169a47f Successfully authenticated! You are now logged in. token: 68a80410-e315-fc39-d1ad-9864e169a47f token_duration: 0 token_policies: [root] 10 . 15
WRITE AND READ SECRETS $ vault write secret/mysecret hello=world Success! Data written to: secret/mysecret $ vault read secret/mysecret Key Value --- ----- refresh_interval 768h0m0s hello world 10 . 16
DEMO 10 . 17
SPRING CLOUD VAULT https://cloud.spring.io/spring-cloud-vault 11 . 1
GRADLE DEPENDENCIES ext { springCloudVersion = 'Dalston.RELEASE' } dependencies { compile('org.springframework.cloud: spring-cloud-starter-vault-config') } dependencyManagement { imports { mavenBom "org.springframework.cloud: spring-cloud-dependencies:${springCloudVersion}" } } 11 . 2
SECRET DATA MAPPING BOOTSTRAP.PROPERTIES MAPPED SECRET PATHS IN VAULT spring.cloud.vault.generic.application-name = application1,additional/keys #spring.cloud.vault.application-name = ... #spring.application.name = ... /secret/application1 /secret/application1/myprofile /secret/additional/keys /secret/application /secret/application/myprofile 11 . 3
DEMO 11 . 4
ROTATE DATABASE CREDENTIALS BOOTSTRAP.YML spring.cloud.vault: postgresql: enabled: true role: readonly backend: postgresql username-property: spring.datasource.username password-property: spring.datasource.username 11 . 5
11 . 6
SPRING CLOUD CONFIG VAULT ENVIRONMENT REPOSITORY APPLICATION.PROPERTIES (CONFIG SERVER) BOOTSTRAP.PROPERTIES (CLIENT) spring.profiles.active=vault spring.cloud.config.server.vault.host=127.0.0.1 spring.cloud.config.server.vault.port=8200 spring.cloud.config.server.vault.scheme=https spring.cloud.config.token = YourVaultToken 11 . 7
TARGET ACHIEVED? 12
REFERENCES All images used are from and are published under All used logos are trademarks of corresponding companies Spring Cloud Con g (https://cloud.spring.io/spring-cloud-con g/) Spring Cloud Con g Security (http://cloud.spring.io/spring-cloud-static/spring-cloud- con g/1.3.0.RELEASE/#_security) Shamir's secret sharing algorithm (https://en.wikipedia.org/wiki/Shamir's_Secret_Sharing) Spring Cloud Vault (https://cloud.spring.io/spring-cloud-vault) Vault (https://www.vaultproject.io) Cloud Foundry Vault Service Broker (https://www.hashicorp.com/blog/cloud-foundry- vault-service-broker) Cloud Native Key Management — Justin Smith (https://www.youtube.com/watch? v=MvPIthr4kXA&t=1601s) Sources and Presentation (https://github.com/andifalk/distributed-secure-con guration) Pixabay Creative Commons CC0 license. 13
Q&A http://www.novatec-gmbh.de http://blog.novatec-gmbh.de andreas.falk@novatec-gmbh.de @NT_AQE, @andifalk 14

Empfohlen

JAX 2017 - Sicher in die Cloud mit Angular und Spring Boot
JAX 2017 - Sicher in die Cloud mit Angular und Spring BootJAX 2017 - Sicher in die Cloud mit Angular und Spring Boot
JAX 2017 - Sicher in die Cloud mit Angular und Spring BootAndreas Falk
 
Sicher in die Cloud mit Angular und Spring Boot (Karlsruher Entwicklertag 2017)
Sicher in die Cloud mit Angular und Spring Boot (Karlsruher Entwicklertag 2017)Sicher in die Cloud mit Angular und Spring Boot (Karlsruher Entwicklertag 2017)
Sicher in die Cloud mit Angular und Spring Boot (Karlsruher Entwicklertag 2017)Andreas Falk
 
Lock it down
Lock it downLock it down
Lock it downPeter Souter
 
Hashicorp Vault Associate Certification Concepts Part 2
Hashicorp Vault Associate Certification Concepts Part 2 Hashicorp Vault Associate Certification Concepts Part 2
Hashicorp Vault Associate Certification Concepts Part 2 Adnan Rashid
 
Hashicorp Vault Associate Certification Configuration Part 3
Hashicorp Vault Associate Certification Configuration Part 3Hashicorp Vault Associate Certification Configuration Part 3
Hashicorp Vault Associate Certification Configuration Part 3Adnan Rashid
 
CKA Certified Kubernetes Administrator Notes
CKA Certified Kubernetes Administrator Notes CKA Certified Kubernetes Administrator Notes
CKA Certified Kubernetes Administrator Notes Adnan Rashid
 
232analyzer 5 6 Keygen Crack Patch
232analyzer 5 6 Keygen Crack Patch232analyzer 5 6 Keygen Crack Patch
232analyzer 5 6 Keygen Crack PatchSeanNeidorf
 
Building IoT Solutions with Nitrogen
Building IoT Solutions with NitrogenBuilding IoT Solutions with Nitrogen
Building IoT Solutions with NitrogenDoug Seven
 

Empfohlen

JAX 2017 - Sicher in die Cloud mit Angular und Spring Boot
JAX 2017 - Sicher in die Cloud mit Angular und Spring BootJAX 2017 - Sicher in die Cloud mit Angular und Spring Boot
JAX 2017 - Sicher in die Cloud mit Angular und Spring BootAndreas Falk
 
Sicher in die Cloud mit Angular und Spring Boot (Karlsruher Entwicklertag 2017)
Sicher in die Cloud mit Angular und Spring Boot (Karlsruher Entwicklertag 2017)Sicher in die Cloud mit Angular und Spring Boot (Karlsruher Entwicklertag 2017)
Sicher in die Cloud mit Angular und Spring Boot (Karlsruher Entwicklertag 2017)Andreas Falk
 
Lock it down
Lock it downLock it down
Lock it downPeter Souter
 
Hashicorp Vault Associate Certification Concepts Part 2
Hashicorp Vault Associate Certification Concepts Part 2 Hashicorp Vault Associate Certification Concepts Part 2
Hashicorp Vault Associate Certification Concepts Part 2 Adnan Rashid
 
Hashicorp Vault Associate Certification Configuration Part 3
Hashicorp Vault Associate Certification Configuration Part 3Hashicorp Vault Associate Certification Configuration Part 3
Hashicorp Vault Associate Certification Configuration Part 3Adnan Rashid
 
CKA Certified Kubernetes Administrator Notes
CKA Certified Kubernetes Administrator Notes CKA Certified Kubernetes Administrator Notes
CKA Certified Kubernetes Administrator Notes Adnan Rashid
 
232analyzer 5 6 Keygen Crack Patch
232analyzer 5 6 Keygen Crack Patch232analyzer 5 6 Keygen Crack Patch
232analyzer 5 6 Keygen Crack PatchSeanNeidorf
 
Building IoT Solutions with Nitrogen
Building IoT Solutions with NitrogenBuilding IoT Solutions with Nitrogen
Building IoT Solutions with NitrogenDoug Seven
 
Conf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpractices
Conf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpracticesConf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpractices
Conf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpracticesBrentMatlock
 
Fosdem10
Fosdem10Fosdem10
Fosdem10wremes
 
Open SSL and MS Crypto API EKON21
Open SSL and MS Crypto API EKON21Open SSL and MS Crypto API EKON21
Open SSL and MS Crypto API EKON21Max Kleiner
 
[2014/10/06] HITCON Freetalk - App Security on Android
[2014/10/06] HITCON Freetalk - App Security on Android[2014/10/06] HITCON Freetalk - App Security on Android
[2014/10/06] HITCON Freetalk - App Security on AndroidDEVCORE
 
Mise en place d'un client VPN l2tp IPsec sous docker
Mise en place d'un client VPN l2tp IPsec sous dockerMise en place d'un client VPN l2tp IPsec sous docker
Mise en place d'un client VPN l2tp IPsec sous dockerNicolas Trauwaen
 
URL to HTML
URL to HTMLURL to HTML
URL to HTMLFrancois Marier
 
Fire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS FirewallsFire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS FirewallsPriyanka Aash
 
SSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSSSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSAnant Shrivastava
 
Understanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationUnderstanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationJustin Bui
 
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S... BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...BlueHat Security Conference
 
OSSEC @ ISSA Jan 21st 2010
OSSEC @ ISSA Jan 21st 2010OSSEC @ ISSA Jan 21st 2010
OSSEC @ ISSA Jan 21st 2010wremes
 
Java security
Java securityJava security
Java securityBart Blommaerts
 
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation BlueHat Security Conference
 
RSA OSX Malware
RSA OSX MalwareRSA OSX Malware
RSA OSX MalwareSynack
 
Opencast Matterhorn Stream Security
Opencast Matterhorn Stream SecurityOpencast Matterhorn Stream Security
Opencast Matterhorn Stream SecurityBasil Brunner
 
[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程
[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程
[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程Jimmy Chang
 
SSL/TLS for Mortals (GOTO Berlin)
SSL/TLS for Mortals (GOTO Berlin)SSL/TLS for Mortals (GOTO Berlin)
SSL/TLS for Mortals (GOTO Berlin)Maarten Mulders
 
Top 13 best security practices
Top 13 best security practicesTop 13 best security practices
Top 13 best security practicesRadu Vunvulea
 
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat Security Conference
 
Smart Contracts Technical Overview - Meetup Roma - 17/09/19
Smart Contracts Technical Overview - Meetup Roma - 17/09/19Smart Contracts Technical Overview - Meetup Roma - 17/09/19
Smart Contracts Technical Overview - Meetup Roma - 17/09/19Federico Tenga
 
Creating "Secure" PHP applications, Part 2, Server Hardening
Creating "Secure" PHP applications, Part 2, Server HardeningCreating "Secure" PHP applications, Part 2, Server Hardening
Creating "Secure" PHP applications, Part 2, Server Hardeningarchwisp
 
Securing the Web without site-specific passwords
Securing the Web without site-specific passwordsSecuring the Web without site-specific passwords
Securing the Web without site-specific passwordsFrancois Marier
 

Weitere ähnliche Inhalte

Was ist angesagt?

Conf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpractices
Conf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpracticesConf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpractices
Conf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpracticesBrentMatlock
 
Fosdem10
Fosdem10Fosdem10
Fosdem10wremes
 
Open SSL and MS Crypto API EKON21
Open SSL and MS Crypto API EKON21Open SSL and MS Crypto API EKON21
Open SSL and MS Crypto API EKON21Max Kleiner
 
[2014/10/06] HITCON Freetalk - App Security on Android
[2014/10/06] HITCON Freetalk - App Security on Android[2014/10/06] HITCON Freetalk - App Security on Android
[2014/10/06] HITCON Freetalk - App Security on AndroidDEVCORE
 
Mise en place d'un client VPN l2tp IPsec sous docker
Mise en place d'un client VPN l2tp IPsec sous dockerMise en place d'un client VPN l2tp IPsec sous docker
Mise en place d'un client VPN l2tp IPsec sous dockerNicolas Trauwaen
 
Fire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS FirewallsFire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS FirewallsPriyanka Aash
 
SSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSSSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSAnant Shrivastava
 
Understanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationUnderstanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationJustin Bui
 
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S... BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...BlueHat Security Conference
 
OSSEC @ ISSA Jan 21st 2010
OSSEC @ ISSA Jan 21st 2010OSSEC @ ISSA Jan 21st 2010
OSSEC @ ISSA Jan 21st 2010wremes
 
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation BlueHat Security Conference
 
RSA OSX Malware
RSA OSX MalwareRSA OSX Malware
RSA OSX MalwareSynack
 
Opencast Matterhorn Stream Security
Opencast Matterhorn Stream SecurityOpencast Matterhorn Stream Security
Opencast Matterhorn Stream SecurityBasil Brunner
 
[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程
[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程
[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程Jimmy Chang
 
SSL/TLS for Mortals (GOTO Berlin)
SSL/TLS for Mortals (GOTO Berlin)SSL/TLS for Mortals (GOTO Berlin)
SSL/TLS for Mortals (GOTO Berlin)Maarten Mulders
 
Top 13 best security practices
Top 13 best security practicesTop 13 best security practices
Top 13 best security practicesRadu Vunvulea
 
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat Security Conference
 
Smart Contracts Technical Overview - Meetup Roma - 17/09/19
Smart Contracts Technical Overview - Meetup Roma - 17/09/19Smart Contracts Technical Overview - Meetup Roma - 17/09/19
Smart Contracts Technical Overview - Meetup Roma - 17/09/19Federico Tenga
 

Was ist angesagt? (20)

Conf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpractices
Conf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpracticesConf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpractices
Conf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpractices
 
Fosdem10
Fosdem10Fosdem10
Fosdem10
 
Open SSL and MS Crypto API EKON21
Open SSL and MS Crypto API EKON21Open SSL and MS Crypto API EKON21
Open SSL and MS Crypto API EKON21
 
[2014/10/06] HITCON Freetalk - App Security on Android
[2014/10/06] HITCON Freetalk - App Security on Android[2014/10/06] HITCON Freetalk - App Security on Android
[2014/10/06] HITCON Freetalk - App Security on Android
 
Mise en place d'un client VPN l2tp IPsec sous docker
Mise en place d'un client VPN l2tp IPsec sous dockerMise en place d'un client VPN l2tp IPsec sous docker
Mise en place d'un client VPN l2tp IPsec sous docker
 
URL to HTML
URL to HTMLURL to HTML
URL to HTML
 
Fire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS FirewallsFire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS Firewalls
 
SSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSSSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOS
 
Understanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationUnderstanding Windows Access Token Manipulation
Understanding Windows Access Token Manipulation
 
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S... BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
 
OSSEC @ ISSA Jan 21st 2010
OSSEC @ ISSA Jan 21st 2010OSSEC @ ISSA Jan 21st 2010
OSSEC @ ISSA Jan 21st 2010
 
Java security
Java securityJava security
Java security
 
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
 
RSA OSX Malware
RSA OSX MalwareRSA OSX Malware
RSA OSX Malware
 
Opencast Matterhorn Stream Security
Opencast Matterhorn Stream SecurityOpencast Matterhorn Stream Security
Opencast Matterhorn Stream Security
 
[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程
[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程
[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程
 
SSL/TLS for Mortals (GOTO Berlin)
SSL/TLS for Mortals (GOTO Berlin)SSL/TLS for Mortals (GOTO Berlin)
SSL/TLS for Mortals (GOTO Berlin)
 
Top 13 best security practices
Top 13 best security practicesTop 13 best security practices
Top 13 best security practices
 
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
 
Smart Contracts Technical Overview - Meetup Roma - 17/09/19
Smart Contracts Technical Overview - Meetup Roma - 17/09/19Smart Contracts Technical Overview - Meetup Roma - 17/09/19
Smart Contracts Technical Overview - Meetup Roma - 17/09/19
 

Ähnlich wie Manage distributed configuration and secrets with spring cloud and vault (Spring I/O 2017)

Creating "Secure" PHP applications, Part 2, Server Hardening
Creating "Secure" PHP applications, Part 2, Server HardeningCreating "Secure" PHP applications, Part 2, Server Hardening
Creating "Secure" PHP applications, Part 2, Server Hardeningarchwisp
 
Securing the Web without site-specific passwords
Securing the Web without site-specific passwordsSecuring the Web without site-specific passwords
Securing the Web without site-specific passwordsFrancois Marier
 
Security of go modules lightning talk
Security of go modules lightning talkSecurity of go modules lightning talk
Security of go modules lightning talkDeep Datta
 
HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩smalltown
 
WiFi practical hacking "Show me the passwords!"
WiFi practical hacking "Show me the passwords!"WiFi practical hacking "Show me the passwords!"
WiFi practical hacking "Show me the passwords!"DefCamp
 
Engineering Challenges Doing Intrusion Detection in the Cloud
Engineering Challenges Doing Intrusion Detection in the CloudEngineering Challenges Doing Intrusion Detection in the Cloud
Engineering Challenges Doing Intrusion Detection in the Cloudrandomuserid
 
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey GordeychikCODE BLUE
 
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...MITRE - ATT&CKcon
 
Analysis of Compromised Linux Server
Analysis of Compromised Linux ServerAnalysis of Compromised Linux Server
Analysis of Compromised Linux Serveranandvaidya
 
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...Jisc
 
Adventures in Underland: Is encryption solid as a rock or a handful of dust?
Adventures in Underland: Is encryption solid as a rock or a handful of dust?Adventures in Underland: Is encryption solid as a rock or a handful of dust?
Adventures in Underland: Is encryption solid as a rock or a handful of dust?Paula Januszkiewicz
 
Passbolt Introduction and Usage for secret managment
Passbolt Introduction and Usage for secret managmentPassbolt Introduction and Usage for secret managment
Passbolt Introduction and Usage for secret managmentThierry Gayet
 
11thingsabout11g 12659705398222 Phpapp01
11thingsabout11g 12659705398222 Phpapp0111thingsabout11g 12659705398222 Phpapp01
11thingsabout11g 12659705398222 Phpapp01Karam Abuataya
 
11 Things About11g
11 Things About11g11 Things About11g
11 Things About11gfcamachob
 
Wide Column Store NoSQL vs SQL Data Modeling
Wide Column Store NoSQL vs SQL Data ModelingWide Column Store NoSQL vs SQL Data Modeling
Wide Column Store NoSQL vs SQL Data ModelingScyllaDB
 

Ähnlich wie Manage distributed configuration and secrets with spring cloud and vault (Spring I/O 2017) (20)

Creating "Secure" PHP applications, Part 2, Server Hardening
Creating "Secure" PHP applications, Part 2, Server HardeningCreating "Secure" PHP applications, Part 2, Server Hardening
Creating "Secure" PHP applications, Part 2, Server Hardening
 
Securing the Web without site-specific passwords
Securing the Web without site-specific passwordsSecuring the Web without site-specific passwords
Securing the Web without site-specific passwords
 
URL to HTML
URL to HTMLURL to HTML
URL to HTML
 
Security of go modules lightning talk
Security of go modules lightning talkSecurity of go modules lightning talk
Security of go modules lightning talk
 
Data Encryption at Rest
Data Encryption at RestData Encryption at Rest
Data Encryption at Rest
 
HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩
 
WiFi practical hacking "Show me the passwords!"
WiFi practical hacking "Show me the passwords!"WiFi practical hacking "Show me the passwords!"
WiFi practical hacking "Show me the passwords!"
 
Engineering Challenges Doing Intrusion Detection in the Cloud
Engineering Challenges Doing Intrusion Detection in the CloudEngineering Challenges Doing Intrusion Detection in the Cloud
Engineering Challenges Doing Intrusion Detection in the Cloud
 
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
 
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
 
Analysis of Compromised Linux Server
Analysis of Compromised Linux ServerAnalysis of Compromised Linux Server
Analysis of Compromised Linux Server
 
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
 
Adventures in Underland: Is encryption solid as a rock or a handful of dust?
Adventures in Underland: Is encryption solid as a rock or a handful of dust?Adventures in Underland: Is encryption solid as a rock or a handful of dust?
Adventures in Underland: Is encryption solid as a rock or a handful of dust?
 
Hacking the swisscom modem
Hacking the swisscom modemHacking the swisscom modem
Hacking the swisscom modem
 
Passbolt Introduction and Usage for secret managment
Passbolt Introduction and Usage for secret managmentPassbolt Introduction and Usage for secret managment
Passbolt Introduction and Usage for secret managment
 
MySQL 5.5 Guide to InnoDB Status
MySQL 5.5 Guide to InnoDB StatusMySQL 5.5 Guide to InnoDB Status
MySQL 5.5 Guide to InnoDB Status
 
11thingsabout11g 12659705398222 Phpapp01
11thingsabout11g 12659705398222 Phpapp0111thingsabout11g 12659705398222 Phpapp01
11thingsabout11g 12659705398222 Phpapp01
 
11 Things About11g
11 Things About11g11 Things About11g
11 Things About11g
 
Wide Column Store NoSQL vs SQL Data Modeling
Wide Column Store NoSQL vs SQL Data ModelingWide Column Store NoSQL vs SQL Data Modeling
Wide Column Store NoSQL vs SQL Data Modeling
 
Backups
BackupsBackups
Backups
 

Kürzlich hochgeladen

2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 

Kürzlich hochgeladen (20)

2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 

Manage distributed configuration and secrets with spring cloud and vault (Spring I/O 2017)

  • 1. MANAGE DISTRIBUTED CONFIGURATION AND SECRETS WITH SPRING CLOUD AND VAULT Andreas Falk Friday 19th May, 2017 1
  • 4. 4
  • 5. A6: SENSITIVE DATA EXPOSURE https://github.com/OWASP/Top10 5
  • 6. TYPICAL SENSITIVE DATA PASSWORDS DATABASE CREDENTIALS OAUTH2 CLIENT SECRETS ENCRYPTION KEYS SENSITIVE USER DATA CREDIT CARD NUMBERS 6
  • 7. APPLICATION PROPERTIES DATABASE ACCESS CREDENTIALS spring.datasource.url=jdbc:postgresql://localhost/test spring.datasource.username=root spring.datasource.password=mysupersecretpassword 7
  • 9. SPRING CLOUD CONFIG Externalized con guration in a distributed system HTTP, resource-based API Supports property le and YAML formats Encrypt and decrypt property values https://cloud.spring.io/spring-cloud-con g 8 . 2
  • 10. 8 . 3
  • 11. GRADLE DEPENDENCIES ext { springCloudVersion = 'Dalston.RELEASE' } dependencies { compile('org.springframework.cloud: spring-cloud-config-server') } dependencyManagement { imports { mavenBom "org.springframework.cloud: spring-cloud-dependencies:${springCloudVersion}" } } 8 . 4
  • 12. SPRING CLOUD CONFIG SERVER JUST ONE ADDITIONAL ANNOTATION @EnableConfigServer @SpringBootApplication public class ConfigServerApplication { public static void main(String[] args) { SpringApplication.run( ConfigServerApplication.class, args); } } 8 . 5
  • 13. SPRING CLOUD CONFIG SERVER CONFIGURATION spring.cloud.config.server.git.uri= https://github.com/andifalk/cloud-config-repository server.port=8888 security.basic.enabled=true security.user.name=admin security.user.password=secret 8 . 6
  • 14. SPRING CLOUD CONFIG ENCRYPTION AND DECRYPTION https://cloud.spring.io/spring-cloud-static/Dalston.RELEASE/#_security 9 . 1
  • 15. SPRING CLOUD CONFIG SERVER SYMMETRIC KEY CONFIGURATION encrypt.key=MyVerySecureEncryptionKey 9 . 2
  • 16. SPRING CLOUD CONFIG SERVER ASYMMETRIC KEY CONFIGURATION encrypt.key-store.location=classpath:configserver.jks encrypt.key-store.alias=configserver encrypt.key-store.password=secret encrypt.key-store.secret=secret 9 . 3
  • 17. SPRING CLOUD CONFIG SERVER ENCRYPTING DATA $ curl -u admin:secret -d test http://localhost:8888/encrypt AQAx/RH8tiJj9V43l4dwAxhh0bXGPYa2UjRGOM8s5z2EmCXWRU5DLPzxGptF08nEo kE+BfZPm4A3vco3volhWdYQcCAFguX+6LOvoxewv5AyfkIt1E0bTc7sa4wSSeBGG4 SZ1K/nkto4e6jH+5tktLiPpXoABzvy3YsAgXZ6j5zUM320cWEd4QBSoB0mYP5Kfsq EFbFEUBm2wMyUSFB4/NXn5apn8KZ2c2WTAj/jZlrg/jI4Sz094zDzRaM+iZuqHjaU xVng+3dTsz9DQ9rhfWFllmrtUyoKwgNWLuegV6neDsHGdz7F1bucvJ2CzEZb3tp76 K2RrP0m9KPesTZMtbUH2/g9uUDORh/95P1s+dRt0QznwlXshtnb8Hu3i7GdkmA= 9 . 4
  • 18. SPRING CLOUD CONFIG SERVER DECRYPTING DATA $ curl localhost:8888/decrypt -u admin:secret -d AQAx/RH8tiJj9V43l4 dwAxhh0bXGPYa2UjRGOM8s5z2EmCXWRU5DLPzxGptF08nEokE+BfZPm4A3vco3vol hWdYQcCAFguX+6LOvoxewv5AyfkIt1E0bTc7sa4wSSeBGG4SZ1K/nkto4e6jH+5tk tLiPpXoABzvy3YsAgXZ6j5zUM320cWEd4QBSoB0mYP5KfsqEFbFEUBm2wMyUSFB4/ NXn5apn8KZ2c2WTAj/jZlrg/jI4Sz094zDzRaM+iZuqHjaUxVng+3dTsz9DQ9rhfW FllmrtUyoKwgNWLuegV6neDsHGdz7F1bucvJ2CzEZb3tp76K2RrP0m9KPesTZMtbU H2/g9uUDORh/95P1s+dRt0QznwlXshtnb8Hu3i7GdkmA= test 9 . 5
  • 19. SPRING CLOUD CONFIG SERVER ENCRYPTED SENSITIVE PROPERTY VALUES secretkey={cipher}AQBcFzU3gDVVdj0P2uX/60LzeFqQi8Bo2sCTOiiMSe+w Yq4f0smM8HES0TKesr8Nms+EqgV5t9Rld7PGALjVUAAfHjAf6WS1yYz3K+ NvXrgu8umjOyRDxfKBh5OH2jvYX+EiKv/JgwDeUg3TXnTnsheh3Mim0dSu fkojbBlWxO8HsfW5z1qG9tLSlHnWvtcpIGLdRAUwfcKw+/1SViuYxwi/p9 H+J/SOomr4hjjnCuaFITa0zfQc4XTLOrGxW64dhghDvCgu3BxMe0TRaBci Ugkqka4zgBmzge0kw7r82b84GELmDGpjDp7HRUB+cVHqzZXuQzQB9vCjq1 xI19e6ZQm62DkOxaqtafGxqw+VmyFl1+XYEs1k2lWkiUMVyJyiixI= 9 . 6
  • 23. SECRET STORAGE KEY REVOCATION KEY ROLLING AUDIT LOGS https://www.vaultproject.io/ 10 . 3
  • 25. SECRET STORAGE ENCRYPTION (AES CYPHER) DYNAMIC SECRETS ACCESS CONTROL POLICIES LEASE TIME (AUTOMATIC REVOCATION) 10 . 5
  • 26. AUDIT LOGS NOT ACTIVE BY DEFAULT SENSITIVE DATA HASHED (HMAC-SHA256) TARGETS: FILE, SYSLOG, SOCKET ... ,"path":"secret/hello","data":null,"remote_address":"127.0.0.1" ,"wrap_ttl":0,"headers":{}},"response":{"secret":{"lease_id":""} ,"data":{"value":"hmac-sha256:213d0d2572fe27ffd0cd2d97cf009c2d0 2e97b5af3f81b9af41f593982ffae8c"}},"error":""} 10 . 6
  • 27. AUTHENTICATION TOKEN (DEFAULT) APPID APPROLE TLS CLIENT CERTIFICATE AWS, GITHUB, ... 10 . 7
  • 29. SECRET BACKENDS GETTING DYNAMIC CREDENTIALS (WITH LEASE TIME) AWS CONSUL MONGODB DATABASES (MYSQL, POSTGRESQL, CASSANDRA) RABBITMQ, AND MANY MORE... 10 . 9
  • 31. START VAULT SERVER memory.conf $ vault server -config=./memory.conf storage "inmem" { } listener "tcp" { address = "127.0.0.1:8200" tls_disable = 1 } disable_mlock = true 10 . 11
  • 33. INITIALIZE VAULT SERVER $ vault init -key-shares=5 -key-threshold=2 Unseal Key 1: v236b4yJQDnaJ3EmkOhycZTcxTJfMbNeILqxWfRpzGn0 Unseal Key 2: g1tV/d4vp7VVbOu93aHrHZt41xE5YtX7yYBsFMIXGHCf Unseal Key 3: rAI5FwrVF8XFUD7BOtTer9bL4A39HxHhnXQo85uSyphf Unseal Key 4: kDSWhVhz8ElKG6Rad51Hw9lv8i6bTHdEdE71vq3sHoE0 Unseal Key 5: 4KUY7CS+UBi5lxlwpCRY+sWXdPFDp68rX2F6bTxT0nHF Initial Root Token: 68a80410-e315-fc39-d1ad-9864e169a47f Please securely distribute the above keys. When the vault is re-sealed, restarted, or stopped, you must provide at least 2 of these keys to unseal it again. Vault does not store the master key. Without at least 2 keys, your vault will remain permanently sealed. 10 . 13
  • 34. UNSEAL VAULT SERVER $ vault unseal v236b4yJQDnaJ3EmkOhycZTcxTJfMbNeILqxWfRpzGn0 Sealed: true Key Shares: 5 Key Threshold: 2 Unseal Progress: 1 Unseal Nonce: 3a7f80b8-9aa4-2338-8a0a-0295331962d7 $ vault unseal rAI5FwrVF8XFUD7BOtTer9bL4A39HxHhnXQo85uSyphf Sealed: false Key Shares: 5 Key Threshold: 2 Unseal Progress: 0 Unseal Nonce: 10 . 14
  • 35. AUTHENTICATE WITH VAULT SERVER $ vault auth 68a80410-e315-fc39-d1ad-9864e169a47f Successfully authenticated! You are now logged in. token: 68a80410-e315-fc39-d1ad-9864e169a47f token_duration: 0 token_policies: [root] 10 . 15
  • 36. WRITE AND READ SECRETS $ vault write secret/mysecret hello=world Success! Data written to: secret/mysecret $ vault read secret/mysecret Key Value --- ----- refresh_interval 768h0m0s hello world 10 . 16
  • 39. GRADLE DEPENDENCIES ext { springCloudVersion = 'Dalston.RELEASE' } dependencies { compile('org.springframework.cloud: spring-cloud-starter-vault-config') } dependencyManagement { imports { mavenBom "org.springframework.cloud: spring-cloud-dependencies:${springCloudVersion}" } } 11 . 2
  • 40. SECRET DATA MAPPING BOOTSTRAP.PROPERTIES MAPPED SECRET PATHS IN VAULT spring.cloud.vault.generic.application-name = application1,additional/keys #spring.cloud.vault.application-name = ... #spring.application.name = ... /secret/application1 /secret/application1/myprofile /secret/additional/keys /secret/application /secret/application/myprofile 11 . 3
  • 42. ROTATE DATABASE CREDENTIALS BOOTSTRAP.YML spring.cloud.vault: postgresql: enabled: true role: readonly backend: postgresql username-property: spring.datasource.username password-property: spring.datasource.username 11 . 5
  • 44. SPRING CLOUD CONFIG VAULT ENVIRONMENT REPOSITORY APPLICATION.PROPERTIES (CONFIG SERVER) BOOTSTRAP.PROPERTIES (CLIENT) spring.profiles.active=vault spring.cloud.config.server.vault.host=127.0.0.1 spring.cloud.config.server.vault.port=8200 spring.cloud.config.server.vault.scheme=https spring.cloud.config.token = YourVaultToken 11 . 7
  • 46. REFERENCES All images used are from and are published under All used logos are trademarks of corresponding companies Spring Cloud Con g (https://cloud.spring.io/spring-cloud-con g/) Spring Cloud Con g Security (http://cloud.spring.io/spring-cloud-static/spring-cloud- con g/1.3.0.RELEASE/#_security) Shamir's secret sharing algorithm (https://en.wikipedia.org/wiki/Shamir's_Secret_Sharing) Spring Cloud Vault (https://cloud.spring.io/spring-cloud-vault) Vault (https://www.vaultproject.io) Cloud Foundry Vault Service Broker (https://www.hashicorp.com/blog/cloud-foundry- vault-service-broker) Cloud Native Key Management — Justin Smith (https://www.youtube.com/watch? v=MvPIthr4kXA&t=1601s) Sources and Presentation (https://github.com/andifalk/distributed-secure-con guration) Pixabay Creative Commons CC0 license. 13