SlideShare a Scribd company logo

Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use by Puppet: The BlackBox project (Intermediate) - Thomas A. Limoncelli, Stack Exchange

Puppet
Puppet

"Safely Storing Secrets and Credentials in Git for use by Puppet: The BlackBox Project" presented by Thomas A. Limoncelli, Stack Exchange at Puppet Camp NYC 2014

TechnologyEntertainment & Humor
1 of 38
Download to read offline
The BlackBox project Safely storing secrets and credentials in Git for use by Puppet Tom Limoncelli, SRE, StackExchange.com Blog: EverythingSysadmin.com
125+ Q&A Communities ServerFault.com StackOverflow.com (We <3 Puppet!) StackExchange.com
What are secrets? Anything you don’t want exposed externally. ● SSL Certificates (the private bits) ● Passwords ● API keys
Puppet manages secrets
If you store secrets in git, you’re gonna have a bad time.
● Laptops get stolen. ● Workstations have guest accounts ● “Circle of Trust” now includes: ○ Everyone with admin access to workstations. ■ Your desktop support people? ○ Everyone with admin access to your git server: ■ Server team, storage team, backup team ○ Everyone you collaborate with that wants read-only access to Puppet manifests.
You have 3 bad options: 1. Deny git access. (Hurts collaboration) 2. Permit git access. (Hurts security) 3. Email individual files. (Hurts… just hurts)
Option 4: Encrypt secret parts ● If a file contains secrets, encrypt before checking into Git. ● Need to edit a secret? ○ Decrypt - Edit - Encrypt
What about Puppet master? ● After “git pull”, decrypt all files. ○ Automate this as part of CI. ● Files are unencrypted “at rest”. ● This does not decrease security: ○ No worse than what we were doing before. ○ If you can break into root or puppet on the master, you’ve already won.
Easy, right? Decrypt: gpg -q --decrypt -o secret.crt secret.crt.gpg Encrypt: gpg --yes --trust-model=always --encrypt -o secret.crt.gpg $(<keynames) secret.crt
Easy, right? Decrypt: gpg -q --decrypt -o secret.crt secret.crt.gpg Encrypt: gpg --yes --trust-model=always --encrypt -o secret.crt.gpg $(<keynames) secret.crt ● ...and don’t make any typos when entering the command ● ...and don't accidentally check in the unencrypted version
Security is 1% technology plus 99% following the procedures correctly. Any process with more than 1 step probably won't be followed consistently most of the time. Related reading: "Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0”, Alma Whitten", Usenix Security 1999
Therefore…. we automate Introducing: Blackbox Scripts for keeping Puppet secrets in git/hg.
User commands: Decrypt for editing: blackbox_edit_start.sh file Encrypt when done: blackbox_edit_end.sh file
First time a file is encrypted: Enroll a file into the system: blackbox_register_new_file.sh file
Commands that act on all GPG files: Decrypt all files: (for use on puppet master) blackbox_postdeploy.sh Re-encrypt all files: (after new users added) blackbox_update_all_files.sh
Everyone has their own key This doesn’t use “symmetric encryption” where there is one passphrase to decrypt/encrypt all files. We maintain a keyring of: ● Each person that should have access. ● A key for the Puppet master.
Indoctrinate a new user: 1. New user does this: ● Create GPG key. ● Add their username@host to blackbox-admins. txt ● git commit -a (Currently a doc, not a script. Patches gladly accepted.)
Indoctrinate a new user: 2. Existing admin does this: $ gpg --import keyrings/live/pubring.gpg $ blackbox_update_all_files.sh $ git commit -a
Demo: Edit a file
Demo: Edit a file
Demo: Edit a file
Demo: Edit a file
Demo: Edit a file
Demo: Edit a file
Demo: Edit a file
Code is open source as of TODAY ● Entirely written in bash. ● MIT License. ● Download it now: ○ https://github.com/StackExchange/blackbox
In the project’s first 9 months: StackExchange/ServerFault has eliminated plaintext secrets in our Puppet git repo. ● 7 SREs+Devs sharing the repo securely. ● 50+ files now stored encrypted. ○ Mostly SSL certs and SSH private keys. ● 40+ individual passwords/API keys: ○ Everything from SNMP communities, SaaS API keys, and many many passwords.
Future plans ❏ Open source scripts. ❏ More usability enhancements. ❏ Better setup documentation.
Join the open source project http://github.com/StackExchange/blackbox
Q&A URLs from this talk: https://github.com/StackExchange/blackbox EverythingSysadmin.com
Shameless plug Pre-order now! Save 35% Ships in September. informit.com/TPOSA Discount code TPOSA35 Read “rough cuts” today: safaribooksonline.com
Q&A URLs from this talk: https://github.com/StackExchange/blackbox EverythingSysadmin.com informit.com/TPOSA (code TPOSA35)
● Easier transition. No Puppet code changes for big files like SSL certs. ● Faster. Zero run-time performance impact on master. ● eyaml didn’t exist when we started. Why didn’t we use eyaml?
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use by Puppet: The BlackBox project (Intermediate) - Thomas A. Limoncelli, Stack Exchange

Recommended

Puppet Camp Boston 2014: Securely Managing Secrets with FreeIPA and Puppet (I...
Puppet Camp Boston 2014: Securely Managing Secrets with FreeIPA and Puppet (I...Puppet Camp Boston 2014: Securely Managing Secrets with FreeIPA and Puppet (I...
Puppet Camp Boston 2014: Securely Managing Secrets with FreeIPA and Puppet (I...
Puppet
 
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...
Tom Limoncelli
 
Ever Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildEver Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the Wild
CTruncer
 
CheckPlease: Payload-Agnostic Targeted Malware
CheckPlease: Payload-Agnostic Targeted MalwareCheckPlease: Payload-Agnostic Targeted Malware
CheckPlease: Payload-Agnostic Targeted Malware
Brandon Arvanaghi
 
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreA Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
CTruncer
 
Volley Android
Volley AndroidVolley Android
Volley Android
zezzi Castillo
 
Introduction To ICT Security Audit OWASP Day Malaysia 2011
Introduction To ICT Security Audit OWASP Day Malaysia 2011Introduction To ICT Security Audit OWASP Day Malaysia 2011
Introduction To ICT Security Audit OWASP Day Malaysia 2011
Linuxmalaysia Malaysia
 
Detecting secrets in code committed to gitlab (in real time)
Detecting secrets in code committed to gitlab (in real time)Detecting secrets in code committed to gitlab (in real time)
Detecting secrets in code committed to gitlab (in real time)
Chandrapal Badshah
 

Recommended

Puppet Camp Boston 2014: Securely Managing Secrets with FreeIPA and Puppet (I...
Puppet Camp Boston 2014: Securely Managing Secrets with FreeIPA and Puppet (I...Puppet Camp Boston 2014: Securely Managing Secrets with FreeIPA and Puppet (I...
Puppet Camp Boston 2014: Securely Managing Secrets with FreeIPA and Puppet (I...
Puppet
 
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...
Tom Limoncelli
 
Ever Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildEver Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the Wild
CTruncer
 
CheckPlease: Payload-Agnostic Targeted Malware
CheckPlease: Payload-Agnostic Targeted MalwareCheckPlease: Payload-Agnostic Targeted Malware
CheckPlease: Payload-Agnostic Targeted Malware
Brandon Arvanaghi
 
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreA Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
CTruncer
 
Volley Android
Volley AndroidVolley Android
Volley Android
zezzi Castillo
 
Introduction To ICT Security Audit OWASP Day Malaysia 2011
Introduction To ICT Security Audit OWASP Day Malaysia 2011Introduction To ICT Security Audit OWASP Day Malaysia 2011
Introduction To ICT Security Audit OWASP Day Malaysia 2011
Linuxmalaysia Malaysia
 
Detecting secrets in code committed to gitlab (in real time)
Detecting secrets in code committed to gitlab (in real time)Detecting secrets in code committed to gitlab (in real time)
Detecting secrets in code committed to gitlab (in real time)
Chandrapal Badshah
 
Who’s afraid of WinDbg
Who’s afraid of WinDbgWho’s afraid of WinDbg
Who’s afraid of WinDbg
Dror Helper
 
Debugging NET Applications With WinDBG
Debugging NET Applications With WinDBGDebugging NET Applications With WinDBG
Debugging NET Applications With WinDBG
Cory Foy
 
We codeil save kermit
We codeil save kermitWe codeil save kermit
We codeil save kermit
Victor Trakhtenberg
 
How go makes us faster (May 2015)
How go makes us faster (May 2015)How go makes us faster (May 2015)
How go makes us faster (May 2015)
Wilfried Schobeiri
 
Open source applications softwares
Open source applications softwaresOpen source applications softwares
Open source applications softwares
Tushar B Kute
 
Useful Vim Plugins
Useful Vim PluginsUseful Vim Plugins
Useful Vim Plugins
anveo
 
ProjectTox: Free as in freedom Skype replacement
ProjectTox: Free as in freedom Skype replacementProjectTox: Free as in freedom Skype replacement
ProjectTox: Free as in freedom Skype replacement
Wei-Ning Huang
 
Around the PHP Community
Around the PHP CommunityAround the PHP Community
Around the PHP Community
Ben Ramsey
 
Symfony2 - A Short Introduction
Symfony2 - A Short IntroductionSymfony2 - A Short Introduction
Symfony2 - A Short Introduction
Andy Grunwald
 
Lessons learned from Node.js - Callbacks / Promises
Lessons learned from Node.js - Callbacks / PromisesLessons learned from Node.js - Callbacks / Promises
Lessons learned from Node.js - Callbacks / Promises
Jason K Yau
 
Web socket with php v2
Web socket with php v2Web socket with php v2
Web socket with php v2
Leonardo Rifeli
 
OWASP Bangalore : OWTF demo : 13 Dec 2014
OWASP Bangalore : OWTF demo : 13 Dec 2014OWASP Bangalore : OWTF demo : 13 Dec 2014
OWASP Bangalore : OWTF demo : 13 Dec 2014
Anant Shrivastava
 
Is rust language really safe?
Is rust language really safe? Is rust language really safe?
Is rust language really safe?
Nullbyte Security Conference
 
Profile all the things! - Capital Go 2017
Profile all the things! - Capital Go 2017 Profile all the things! - Capital Go 2017
Profile all the things! - Capital Go 2017
John Potocny
 
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit FrameworkUnmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
egypt
 
Having fun with Raspberry and Apache projects
Having fun with Raspberry and Apache projectsHaving fun with Raspberry and Apache projects
Having fun with Raspberry and Apache projects
Jean-Frederic Clere
 
WeCode IL: Save Kermit
WeCode IL: Save KermitWeCode IL: Save Kermit
WeCode IL: Save Kermit
Victor Trakhtenberg
 
Dynomite Eureka Registry With Prana
Dynomite Eureka Registry With PranaDynomite Eureka Registry With Prana
Dynomite Eureka Registry With Prana
Diego Pacheco
 
Conhecendo o-composer-por-nandokstronet
Conhecendo o-composer-por-nandokstronetConhecendo o-composer-por-nandokstronet
Conhecendo o-composer-por-nandokstronet
Code Experts Learning
 
Who Should Use Powershell? You Should Use Powershell!
Who Should Use Powershell? You Should Use Powershell!Who Should Use Powershell? You Should Use Powershell!
Who Should Use Powershell? You Should Use Powershell!
Ben Finke
 
"Black Box for a Car" report
"Black Box for a Car" report"Black Box for a Car" report
"Black Box for a Car" report
subrat manna
 
Black box
Black boxBlack box
Black box
Sajan Sahu
 

More Related Content

What's hot

Useful Vim Plugins
Useful Vim PluginsUseful Vim Plugins
Useful Vim Plugins
anveo
 

What's hot (20)

Who’s afraid of WinDbg
Who’s afraid of WinDbgWho’s afraid of WinDbg
Who’s afraid of WinDbg
 
Debugging NET Applications With WinDBG
Debugging NET Applications With WinDBGDebugging NET Applications With WinDBG
Debugging NET Applications With WinDBG
 
We codeil save kermit
We codeil save kermitWe codeil save kermit
We codeil save kermit
 
How go makes us faster (May 2015)
How go makes us faster (May 2015)How go makes us faster (May 2015)
How go makes us faster (May 2015)
 
Open source applications softwares
Open source applications softwaresOpen source applications softwares
Open source applications softwares
 
Useful Vim Plugins
Useful Vim PluginsUseful Vim Plugins
Useful Vim Plugins
 
ProjectTox: Free as in freedom Skype replacement
ProjectTox: Free as in freedom Skype replacementProjectTox: Free as in freedom Skype replacement
ProjectTox: Free as in freedom Skype replacement
 
Around the PHP Community
Around the PHP CommunityAround the PHP Community
Around the PHP Community
 
Symfony2 - A Short Introduction
Symfony2 - A Short IntroductionSymfony2 - A Short Introduction
Symfony2 - A Short Introduction
 
Lessons learned from Node.js - Callbacks / Promises
Lessons learned from Node.js - Callbacks / PromisesLessons learned from Node.js - Callbacks / Promises
Lessons learned from Node.js - Callbacks / Promises
 
Web socket with php v2
Web socket with php v2Web socket with php v2
Web socket with php v2
 
OWASP Bangalore : OWTF demo : 13 Dec 2014
OWASP Bangalore : OWTF demo : 13 Dec 2014OWASP Bangalore : OWTF demo : 13 Dec 2014
OWASP Bangalore : OWTF demo : 13 Dec 2014
 
Is rust language really safe?
Is rust language really safe? Is rust language really safe?
Is rust language really safe?
 
Profile all the things! - Capital Go 2017
Profile all the things! - Capital Go 2017 Profile all the things! - Capital Go 2017
Profile all the things! - Capital Go 2017
 
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit FrameworkUnmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
 
Having fun with Raspberry and Apache projects
Having fun with Raspberry and Apache projectsHaving fun with Raspberry and Apache projects
Having fun with Raspberry and Apache projects
 
WeCode IL: Save Kermit
WeCode IL: Save KermitWeCode IL: Save Kermit
WeCode IL: Save Kermit
 
Dynomite Eureka Registry With Prana
Dynomite Eureka Registry With PranaDynomite Eureka Registry With Prana
Dynomite Eureka Registry With Prana
 
Conhecendo o-composer-por-nandokstronet
Conhecendo o-composer-por-nandokstronetConhecendo o-composer-por-nandokstronet
Conhecendo o-composer-por-nandokstronet
 
Who Should Use Powershell? You Should Use Powershell!
Who Should Use Powershell? You Should Use Powershell!Who Should Use Powershell? You Should Use Powershell!
Who Should Use Powershell? You Should Use Powershell!
 

Viewers also liked

Keynote Puppet Camp San Francisco 2010
Keynote Puppet Camp San Francisco 2010Keynote Puppet Camp San Francisco 2010
Keynote Puppet Camp San Francisco 2010
Puppet
 
Black Box for Machine Tools; Based on Open CNC Architecture Control Systems
Black Box for Machine Tools; Based on Open CNC Architecture Control SystemsBlack Box for Machine Tools; Based on Open CNC Architecture Control Systems
Black Box for Machine Tools; Based on Open CNC Architecture Control Systems
IDES Editor
 
LATEST EMBEDDED PROJECTS TITLES-COCKPIT WHITE BOX AUTOMATION(ECE/EEE/E&I)
LATEST EMBEDDED PROJECTS TITLES-COCKPIT WHITE BOX AUTOMATION(ECE/EEE/E&I)LATEST EMBEDDED PROJECTS TITLES-COCKPIT WHITE BOX AUTOMATION(ECE/EEE/E&I)
LATEST EMBEDDED PROJECTS TITLES-COCKPIT WHITE BOX AUTOMATION(ECE/EEE/E&I)
ASHOKKUMAR RAMAR
 
Packet sniffers
Packet sniffersPacket sniffers
Packet sniffers
Wanwen Wen
 
ECE PROJECTS ABSTRACT-COCKPIT WHITE BOX AUTOMATION SYSTEMS-AVIONICS/EMBEDDED
ECE PROJECTS ABSTRACT-COCKPIT WHITE BOX AUTOMATION SYSTEMS-AVIONICS/EMBEDDEDECE PROJECTS ABSTRACT-COCKPIT WHITE BOX AUTOMATION SYSTEMS-AVIONICS/EMBEDDED
ECE PROJECTS ABSTRACT-COCKPIT WHITE BOX AUTOMATION SYSTEMS-AVIONICS/EMBEDDED
ASHOKKUMAR RAMAR
 

Viewers also liked (20)

"Black Box for a Car" report
"Black Box for a Car" report"Black Box for a Car" report
"Black Box for a Car" report
 
Black box
Black boxBlack box
Black box
 
Black box of Aircraft
Black box of AircraftBlack box of Aircraft
Black box of Aircraft
 
Black Box
Black BoxBlack Box
Black Box
 
Black box
Black boxBlack box
Black box
 
Puppet Camp Sydney 2015: Puppet and AWS is easy right.....?
Puppet Camp Sydney 2015: Puppet and AWS is easy right.....? Puppet Camp Sydney 2015: Puppet and AWS is easy right.....?
Puppet Camp Sydney 2015: Puppet and AWS is easy right.....?
 
State of Puppet - Puppet Camp Barcelona 2013
State of Puppet - Puppet Camp Barcelona 2013State of Puppet - Puppet Camp Barcelona 2013
State of Puppet - Puppet Camp Barcelona 2013
 
Puppet Camp San Francisco 2015: Puppet Adoption in a Mature Environment
Puppet Camp San Francisco 2015: Puppet Adoption in a Mature EnvironmentPuppet Camp San Francisco 2015: Puppet Adoption in a Mature Environment
Puppet Camp San Francisco 2015: Puppet Adoption in a Mature Environment
 
Puppet camp LA and Phoenix 2015: Keynote
Puppet camp LA and Phoenix 2015: Keynote Puppet camp LA and Phoenix 2015: Keynote
Puppet camp LA and Phoenix 2015: Keynote
 
Puppet Camp Phoenix 2015: Managing Files via Puppet: Let Me Count The Ways (B...
Puppet Camp Phoenix 2015: Managing Files via Puppet: Let Me Count The Ways (B...Puppet Camp Phoenix 2015: Managing Files via Puppet: Let Me Count The Ways (B...
Puppet Camp Phoenix 2015: Managing Files via Puppet: Let Me Count The Ways (B...
 
Puppet Camp London 2014: Chasing AMI: baking Amazon machine images with Jenki...
Puppet Camp London 2014: Chasing AMI: baking Amazon machine images with Jenki...Puppet Camp London 2014: Chasing AMI: baking Amazon machine images with Jenki...
Puppet Camp London 2014: Chasing AMI: baking Amazon machine images with Jenki...
 
Keynote Puppet Camp San Francisco 2010
Keynote Puppet Camp San Francisco 2010Keynote Puppet Camp San Francisco 2010
Keynote Puppet Camp San Francisco 2010
 
Web vulnerability scanner getting start
Web vulnerability scanner getting startWeb vulnerability scanner getting start
Web vulnerability scanner getting start
 
Puppet Camp Berlin 2014: Advanced Puppet Design
Puppet Camp Berlin 2014: Advanced Puppet DesignPuppet Camp Berlin 2014: Advanced Puppet Design
Puppet Camp Berlin 2014: Advanced Puppet Design
 
Blackbox-тестирование веб-приложений
Blackbox-тестирование веб-приложенийBlackbox-тестирование веб-приложений
Blackbox-тестирование веб-приложений
 
Black Box for Machine Tools; Based on Open CNC Architecture Control Systems
Black Box for Machine Tools; Based on Open CNC Architecture Control SystemsBlack Box for Machine Tools; Based on Open CNC Architecture Control Systems
Black Box for Machine Tools; Based on Open CNC Architecture Control Systems
 
LATEST EMBEDDED PROJECTS TITLES-COCKPIT WHITE BOX AUTOMATION(ECE/EEE/E&I)
LATEST EMBEDDED PROJECTS TITLES-COCKPIT WHITE BOX AUTOMATION(ECE/EEE/E&I)LATEST EMBEDDED PROJECTS TITLES-COCKPIT WHITE BOX AUTOMATION(ECE/EEE/E&I)
LATEST EMBEDDED PROJECTS TITLES-COCKPIT WHITE BOX AUTOMATION(ECE/EEE/E&I)
 
Packet sniffers
Packet sniffersPacket sniffers
Packet sniffers
 
ECE PROJECTS ABSTRACT-COCKPIT WHITE BOX AUTOMATION SYSTEMS-AVIONICS/EMBEDDED
ECE PROJECTS ABSTRACT-COCKPIT WHITE BOX AUTOMATION SYSTEMS-AVIONICS/EMBEDDEDECE PROJECTS ABSTRACT-COCKPIT WHITE BOX AUTOMATION SYSTEMS-AVIONICS/EMBEDDED
ECE PROJECTS ABSTRACT-COCKPIT WHITE BOX AUTOMATION SYSTEMS-AVIONICS/EMBEDDED
 
Automated testing web application
Automated testing web applicationAutomated testing web application
Automated testing web application
 

Similar to Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use by Puppet: The BlackBox project (Intermediate) - Thomas A. Limoncelli, Stack Exchange

The Listening: Email Client Backdoor
The Listening: Email Client BackdoorThe Listening: Email Client Backdoor
The Listening: Email Client Backdoor
Michael Scovetta
 
Webinar: End to End Security & Operations with Chainguard and Weave GitOps
Webinar: End to End Security & Operations with Chainguard and Weave GitOpsWebinar: End to End Security & Operations with Chainguard and Weave GitOps
Webinar: End to End Security & Operations with Chainguard and Weave GitOps
Weaveworks
 
HKG18-203 - Overview of Linaro DRM
HKG18-203 - Overview of Linaro DRMHKG18-203 - Overview of Linaro DRM
HKG18-203 - Overview of Linaro DRM
Linaro
 
OSDC 2016 - Continous Integration in Data Centers - Further 3 Years later by ...
OSDC 2016 - Continous Integration in Data Centers - Further 3 Years later by ...OSDC 2016 - Continous Integration in Data Centers - Further 3 Years later by ...
OSDC 2016 - Continous Integration in Data Centers - Further 3 Years later by ...
NETWAYS
 

Similar to Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use by Puppet: The BlackBox project (Intermediate) - Thomas A. Limoncelli, Stack Exchange (20)

Developing with the Go client for Apache Kafka
Developing with the Go client for Apache KafkaDeveloping with the Go client for Apache Kafka
Developing with the Go client for Apache Kafka
 
The Listening: Email Client Backdoor
The Listening: Email Client BackdoorThe Listening: Email Client Backdoor
The Listening: Email Client Backdoor
 
Helpful pre commit hooks for Python and Django
Helpful pre commit hooks for Python and DjangoHelpful pre commit hooks for Python and Django
Helpful pre commit hooks for Python and Django
 
Webinar: End to End Security & Operations with Chainguard and Weave GitOps
Webinar: End to End Security & Operations with Chainguard and Weave GitOpsWebinar: End to End Security & Operations with Chainguard and Weave GitOps
Webinar: End to End Security & Operations with Chainguard and Weave GitOps
 
Linux Security and How Web Browser Sandboxes Really Work (NDC Oslo 2017)
Linux Security and How Web Browser Sandboxes Really Work (NDC Oslo 2017)Linux Security and How Web Browser Sandboxes Really Work (NDC Oslo 2017)
Linux Security and How Web Browser Sandboxes Really Work (NDC Oslo 2017)
 
Everything you didn't know you needed
Everything you didn't know you neededEverything you didn't know you needed
Everything you didn't know you needed
 
Us 17-krug-hacking-severless-runtimes
Us 17-krug-hacking-severless-runtimesUs 17-krug-hacking-severless-runtimes
Us 17-krug-hacking-severless-runtimes
 
HKG18-203 - Overview of Linaro DRM
HKG18-203 - Overview of Linaro DRMHKG18-203 - Overview of Linaro DRM
HKG18-203 - Overview of Linaro DRM
 
Basics of GnuPG (gpg) command in linux
Basics of GnuPG (gpg) command in linuxBasics of GnuPG (gpg) command in linux
Basics of GnuPG (gpg) command in linux
 
OSDC 2016 - Continous Integration in Data Centers - Further 3 Years later by ...
OSDC 2016 - Continous Integration in Data Centers - Further 3 Years later by ...OSDC 2016 - Continous Integration in Data Centers - Further 3 Years later by ...
OSDC 2016 - Continous Integration in Data Centers - Further 3 Years later by ...
 
My "Perfect" Toolchain Setup for Grails Projects
My "Perfect" Toolchain Setup for Grails ProjectsMy "Perfect" Toolchain Setup for Grails Projects
My "Perfect" Toolchain Setup for Grails Projects
 
Introduction to Exploitation
Introduction to ExploitationIntroduction to Exploitation
Introduction to Exploitation
 
Linux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium SandboxLinux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium Sandbox
 
Git ongithub
Git ongithubGit ongithub
Git ongithub
 
Pentester++
Pentester++Pentester++
Pentester++
 
First adventure within a shell - Andrea Telatin at Quadram Institute
First adventure within a shell - Andrea Telatin at Quadram InstituteFirst adventure within a shell - Andrea Telatin at Quadram Institute
First adventure within a shell - Andrea Telatin at Quadram Institute
 
Berlinsides2017
Berlinsides2017Berlinsides2017
Berlinsides2017
 
Defense in Depth: Securing your new Kubernetes cluster from the challenges th...
Defense in Depth: Securing your new Kubernetes cluster from the challenges th...Defense in Depth: Securing your new Kubernetes cluster from the challenges th...
Defense in Depth: Securing your new Kubernetes cluster from the challenges th...
 
12 tricks to avoid hackers breaks your CI / CD
12 tricks to avoid hackers breaks your CI / CD12 tricks to avoid hackers breaks your CI / CD
12 tricks to avoid hackers breaks your CI / CD
 
Chromium Sandbox on Linux (BlackHoodie 2018)
Chromium Sandbox on Linux (BlackHoodie 2018)Chromium Sandbox on Linux (BlackHoodie 2018)
Chromium Sandbox on Linux (BlackHoodie 2018)
 

More from Puppet

Puppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepoPuppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepo
Puppet
 
2021 04-15 operational verification (with notes)
2021 04-15 operational verification (with notes)2021 04-15 operational verification (with notes)
2021 04-15 operational verification (with notes)
Puppet
 
Enforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automationEnforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automation
Puppet
 
Automating it management with Puppet + ServiceNow
Automating it management with Puppet + ServiceNowAutomating it management with Puppet + ServiceNow
Automating it management with Puppet + ServiceNow
Puppet
 
Simplified Patch Management with Puppet - Oct. 2020
Simplified Patch Management with Puppet - Oct. 2020Simplified Patch Management with Puppet - Oct. 2020
Simplified Patch Management with Puppet - Oct. 2020
Puppet
 

More from Puppet (20)

Puppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepoPuppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepo
 
Puppetcamp r10kyaml
Puppetcamp r10kyamlPuppetcamp r10kyaml
Puppetcamp r10kyaml
 
2021 04-15 operational verification (with notes)
2021 04-15 operational verification (with notes)2021 04-15 operational verification (with notes)
2021 04-15 operational verification (with notes)
 
Puppet camp vscode
Puppet camp vscodePuppet camp vscode
Puppet camp vscode
 
Modules of the twenties
Modules of the twentiesModules of the twenties
Modules of the twenties
 
Applying Roles and Profiles method to compliance code
Applying Roles and Profiles method to compliance codeApplying Roles and Profiles method to compliance code
Applying Roles and Profiles method to compliance code
 
KGI compliance as-code approach
KGI compliance as-code approachKGI compliance as-code approach
KGI compliance as-code approach
 
Enforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automationEnforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automation
 
Keynote: Puppet camp compliance
Keynote: Puppet camp complianceKeynote: Puppet camp compliance
Keynote: Puppet camp compliance
 
Automating it management with Puppet + ServiceNow
Automating it management with Puppet + ServiceNowAutomating it management with Puppet + ServiceNow
Automating it management with Puppet + ServiceNow
 
Puppet: The best way to harden Windows
Puppet: The best way to harden WindowsPuppet: The best way to harden Windows
Puppet: The best way to harden Windows
 
Simplified Patch Management with Puppet - Oct. 2020
Simplified Patch Management with Puppet - Oct. 2020Simplified Patch Management with Puppet - Oct. 2020
Simplified Patch Management with Puppet - Oct. 2020
 
Accelerating azure adoption with puppet
Accelerating azure adoption with puppetAccelerating azure adoption with puppet
Accelerating azure adoption with puppet
 
Puppet catalog Diff; Raphael Pinson
Puppet catalog Diff; Raphael PinsonPuppet catalog Diff; Raphael Pinson
Puppet catalog Diff; Raphael Pinson
 
ServiceNow and Puppet- better together, Kevin Reeuwijk
ServiceNow and Puppet- better together, Kevin ReeuwijkServiceNow and Puppet- better together, Kevin Reeuwijk
ServiceNow and Puppet- better together, Kevin Reeuwijk
 
Take control of your dev ops dumping ground
Take control of your dev ops dumping groundTake control of your dev ops dumping ground
Take control of your dev ops dumping ground
 
100% Puppet Cloud Deployment of Legacy Software
100% Puppet Cloud Deployment of Legacy Software100% Puppet Cloud Deployment of Legacy Software
100% Puppet Cloud Deployment of Legacy Software
 
Puppet User Group
Puppet User GroupPuppet User Group
Puppet User Group
 
Continuous Compliance and DevSecOps
Continuous Compliance and DevSecOpsContinuous Compliance and DevSecOps
Continuous Compliance and DevSecOps
 
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick MaludyThe Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
 

Recently uploaded

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 

Recently uploaded (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 

Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use by Puppet: The BlackBox project (Intermediate) - Thomas A. Limoncelli, Stack Exchange

  • 1. The BlackBox project Safely storing secrets and credentials in Git for use by Puppet Tom Limoncelli, SRE, StackExchange.com Blog: EverythingSysadmin.com
  • 3. What are secrets? Anything you don’t want exposed externally. ● SSL Certificates (the private bits) ● Passwords ● API keys
  • 5.
  • 6. If you store secrets in git, you’re gonna have a bad time.
  • 7. ● Laptops get stolen. ● Workstations have guest accounts ● “Circle of Trust” now includes: ○ Everyone with admin access to workstations. ■ Your desktop support people? ○ Everyone with admin access to your git server: ■ Server team, storage team, backup team ○ Everyone you collaborate with that wants read-only access to Puppet manifests.
  • 8. You have 3 bad options: 1. Deny git access. (Hurts collaboration) 2. Permit git access. (Hurts security) 3. Email individual files. (Hurts… just hurts)
  • 9. Option 4: Encrypt secret parts ● If a file contains secrets, encrypt before checking into Git. ● Need to edit a secret? ○ Decrypt - Edit - Encrypt
  • 10. What about Puppet master? ● After “git pull”, decrypt all files. ○ Automate this as part of CI. ● Files are unencrypted “at rest”. ● This does not decrease security: ○ No worse than what we were doing before. ○ If you can break into root or puppet on the master, you’ve already won.
  • 11. Easy, right? Decrypt: gpg -q --decrypt -o secret.crt secret.crt.gpg Encrypt: gpg --yes --trust-model=always --encrypt -o secret.crt.gpg $(<keynames) secret.crt
  • 12. Easy, right? Decrypt: gpg -q --decrypt -o secret.crt secret.crt.gpg Encrypt: gpg --yes --trust-model=always --encrypt -o secret.crt.gpg $(<keynames) secret.crt ● ...and don’t make any typos when entering the command ● ...and don't accidentally check in the unencrypted version
  • 13. Security is 1% technology plus 99% following the procedures correctly. Any process with more than 1 step probably won't be followed consistently most of the time. Related reading: "Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0”, Alma Whitten", Usenix Security 1999
  • 14. Therefore…. we automate Introducing: Blackbox Scripts for keeping Puppet secrets in git/hg.
  • 15. User commands: Decrypt for editing: blackbox_edit_start.sh file Encrypt when done: blackbox_edit_end.sh file
  • 16. First time a file is encrypted: Enroll a file into the system: blackbox_register_new_file.sh file
  • 17. Commands that act on all GPG files: Decrypt all files: (for use on puppet master) blackbox_postdeploy.sh Re-encrypt all files: (after new users added) blackbox_update_all_files.sh
  • 18. Everyone has their own key This doesn’t use “symmetric encryption” where there is one passphrase to decrypt/encrypt all files. We maintain a keyring of: ● Each person that should have access. ● A key for the Puppet master.
  • 19. Indoctrinate a new user: 1. New user does this: ● Create GPG key. ● Add their username@host to blackbox-admins. txt ● git commit -a (Currently a doc, not a script. Patches gladly accepted.)
  • 20. Indoctrinate a new user: 2. Existing admin does this: $ gpg --import keyrings/live/pubring.gpg $ blackbox_update_all_files.sh $ git commit -a
  • 21. Demo: Edit a file
  • 22. Demo: Edit a file
  • 23. Demo: Edit a file
  • 24. Demo: Edit a file
  • 25. Demo: Edit a file
  • 26. Demo: Edit a file
  • 27. Demo: Edit a file
  • 28.
  • 29.
  • 30. Code is open source as of TODAY ● Entirely written in bash. ● MIT License. ● Download it now: ○ https://github.com/StackExchange/blackbox
  • 31. In the project’s first 9 months: StackExchange/ServerFault has eliminated plaintext secrets in our Puppet git repo. ● 7 SREs+Devs sharing the repo securely. ● 50+ files now stored encrypted. ○ Mostly SSL certs and SSH private keys. ● 40+ individual passwords/API keys: ○ Everything from SNMP communities, SaaS API keys, and many many passwords.
  • 32. Future plans ❏ Open source scripts. ❏ More usability enhancements. ❏ Better setup documentation.
  • 33. Join the open source project http://github.com/StackExchange/blackbox
  • 34. Q&A URLs from this talk: https://github.com/StackExchange/blackbox EverythingSysadmin.com
  • 35. Shameless plug Pre-order now! Save 35% Ships in September. informit.com/TPOSA Discount code TPOSA35 Read “rough cuts” today: safaribooksonline.com
  • 36. Q&A URLs from this talk: https://github.com/StackExchange/blackbox EverythingSysadmin.com informit.com/TPOSA (code TPOSA35)
  • 37. ● Easier transition. No Puppet code changes for big files like SSL certs. ● Faster. Zero run-time performance impact on master. ● eyaml didn’t exist when we started. Why didn’t we use eyaml?