SlideShare ist ein Scribd-Unternehmen logo

Keybase Vault Auto-Unseal HashiTalks2020

Bas Meijer
Bas Meijer

Automatically unseal Vault clusters as a Keybase team. We want to automate the unseal of our on-premise Vault clusters. How can we securely distribute Shamir unseal keys to the team so we can unseal our Vault when we are on-call? How did we initialize our production system in a such way that 2 out 4 people are needed to "unseal the Vault"? We are using Keybase.io, and automated Vault on Consul cluster, with an Ansible/Vagrant environment to teach and practice. - Vagrant (tested on Mac) - Consul OSS - Vault OSS - Keybase (vault operator init, vault unseal, KBFS) - Ansible (Brian Shumate's roles, custom roles) - Packer (hardened Centos 7) @bbaassssiiee https://github.com/dockpack/keybase_unseal https://github.com/dockpack/vault_dojo

Technologie
1 von 41
Downloaden Sie, um offline zu lesen
 Bas Meijer Software Engineer/DevOps Coach HUG Amsterdam Co-Organizer Ansible Ambassador @bbaassssiiee 08:00 - 08:30 GMT  Friday, February 21 HashiTalks 2020 Friday, February 21 08:00 - 08:30 GMT
 @bbaassssiiee Keybase Auto Unseal - Bas Meijer HashiTalks 2020
 Purpose 1. Automate provisioning Vault on Consul cluster 2. Securely store the keys to the Vault kingdom 3. Enable team to unseal automatically @bbaassssiiee 3
 Structure of this presentation • Vault setup background info • Start Vault, Initialize, Unseal • Use the CLI, UI manually • Automate and/or Secure? • A Dilemma? • Open Source Reference Project @bbaassssiiee 4
Copyright © 2019 HashiCorp Starting the Vault Server Write a server configuration file Start the server: vault server -config=<config_file_path> Initialize the server (generate the unseal keys & an initial token) Unseal the Vault server Log in 5
Copyright © 2019 HashiCorp ▪ Initialization is the process of configuring the Vault: ‣ Encryption key gets generated ‣ Unseal keys are created ‣ Initial root token is setup Vault Server Initialization 6
Copyright © 2019 HashiCorp ▪ When a Vault server is started, it starts in sealed - doesn't know how to decrypt the data ▪ Unsealing is the process of constructing the master key necessary to read the decryption key to decrypt data ▪ Why? ‣ The data stored by Vault is encrypted with encryption key ‣ The encryption key is encrypted with master key ‣ The master key is NOT stored anywhere Seal / Unseal 17 7 When a Vault server is started, it starts in sealed mode - it doesn't know how to decrypt the data
Copyright © 2019 HashiCorp Shamir's Secret Sharing 12 Master Key Encryption Key Protected by a master key Key Shares (Unseal keys) Bob James Jennifer Pam Tom A threshold of unseal keys are required to unseal Vault so that the key to the kingdom won't fall into one person's hand! Stephan Kitty Rudolf Lars Marjan [*] 8
Copyright © 2019 HashiCorp 15 Initialize a Vault Server via CLI $ vault operator init Unseal Key 1: oL8fJP4KreJPbZWIgui340j5bNclip9zGVcYIzElsoF1 Unseal Key 2: Ke9VZlGzuVaf4HJB8c9KQR2j8rFTBALV1fD3hjE5pHoY Unseal Key 3: 4X6Ja/RpMwNabYzklZKxxXVznLQFGgSiVW7Wx8LWOkQn Unseal Key 4: dhI04g8dIQSXI11BIC6Gtwy/QaJWhVYoFYwKF9UI6axO Unseal Key 5: IQ2Ls630Sjd/oEQyTmwwpuFEUTiJP4FX2UI3uZMZoa+x Initial Root Token: s.arHAbYvyeZQH8StLc5OHtbt4 Vault initialized with 5 keys and a key threshold of 3. Please securely distribute the above keys. When the Vault is re-sealed, restarted, or stopped, you must provide at least 3 of these keys to unseal it again. ... Terminal 9
Copyright © 2019 HashiCorp Initializing Vault (1 of 2) 22 10
Copyright © 2019 HashiCorp Initializing Vault (2 of 2) 23 11
Copyright © 2019 HashiCorp Initializing Vault via UI (2 of 2) 14 12
 --- - name: initialize Hashicorp Vault delegate_to: "{{ groups.vault_instances[0] }}" run_once: true when: vault_status == '501' no_log: true environment: VAULT_ADDR: "https://{{ groups.vault_instances[0] }}:{{ vault_port }}" VAULT_CACERT: "{{ vault_tls_config_path }}/{{ vault_tls_ca_file }}" command: | vault operator init -key-shares={{ key_shares }} -key-threshold={{ key_threshold }} -format=json register: inited tags: - init ... teamshare.yml Initializing Vault via Ansible @bbaassssiiee 13
Copyright © 2019 HashiCorp Starting the Vault Server Write a server configuration file Start the server: vault server -config=<config_file_path> Initialize the server (generate the unseal keys & an initial token) Unseal the Vault server Log in 14
Copyright © 2019 HashiCorp Unsealing Vault 24 15
Copyright © 2019 HashiCorp 19 Unsealing via CLI (1 of 3) $ vault operator unseal Unseal Key (will be hidden): Key Value --- ----- Seal Type shamir Initialized true Sealed true Total Shares 5 Threshold 3 Unseal Progress 1/3 Unseal Nonce 3c0b2c85-6d22-54e4-87ce-249061dd9d1c Version 1.1.0 HA Enabled false Terminal 16
Copyright © 2019 HashiCorp 20 Unsealing via CLI (2 of 3) $ vault operator unseal Unseal Key (will be hidden): Key Value --- ----- Seal Type shamir Initialized true Sealed true Total Shares 5 Threshold 3 Unseal Progress 2/3 Unseal Nonce 3c0b2c85-6d22-54e4-87ce-249061dd9d1c Version 1.1.0 HA Enabled false Terminal 17
Copyright © 2019 HashiCorp 21 Unsealing via CLI (3 of 3) $ vault operator unseal Unseal Key (will be hidden): Key Value --- ----- Seal Type shamir Initialized true Sealed false Total Shares 5 Threshold 3 Version 1.1.0 Cluster Name vault-cluster-ad3f168d Cluster ID 9fcbb3bc-6d9b-98f5-3f2e-a0cf1040a260 HA Enabled false Terminal 18
Copyright © 2019 HashiCorp 21 Unsealing via CLI (3 of 3) $ vault operator unseal Unseal Key (will be hidden): Key Value --- ----- Seal Type shamir Initialized true Sealed false Total Shares 5 Threshold 3 Version 1.1.0 Cluster Name vault-cluster-ad3f168d Cluster ID 9fcbb3bc-6d9b-98f5-3f2e-a0cf1040a260 HA Enabled false Terminal Automate Unsealing with Ansible --- # teamshare - name: 'unseal Hashicorp Vault with teamshare unseal' when: vault_status == '503' and not shamir environment: VAULT_ADDR: "https://{{ groups.vault_instances[0] }}:{{ vault_port }}" VAULT_CACERT: "{{ vault_tls_config_path }}/{{ vault_tls_ca_file }}" command: "vault operator unseal {{ item }}" with_items: "{{ unseal_keys_hex }}" no_log: true tags: - unseal @bbaassssiiee19 Ansible Tip: Use this action attribute to avoid leaking sensitive information into syslog. no_log: true
Copyright © 2019 HashiCorp Starting the Vault Server Write a server configuration file Start the server: vault server -config=<config_file_path> Initialize the server (generate the unseal keys & an initial token) Unseal the Vault server Log in 20
Copyright © 2019 HashiCorp Vault Server Setup Workflow Recap Write a server configuration file Start the server: vault server -config=<config_file_path> Initialize the server (generate the unseal keys & an initial token) Unseal the Vault server Log in Initial Setup Only the the Vault server was restarted, or sealed intentionally Only when the Vault server was restarted, or sealed intentionally 21
Copyright © 2019 HashiCorp Challenge 4 Unsealing process requires a threshold of unseal keys No single person holds the key to the Vault kingdom! Unsealing is a manual process and become painful when you have multiple Vault clusters 22
Copyright © 2017 HashiCorp Auto-Unseal Vault Cloud based key Master key Encryption key ▪ Instead of using shared keys based on Shamir's Secret Sharing algorithm, use the trusted cloud-based encryption key to protect the master key ▪ Supported cloud services today: ‣ AliCloud KMS ‣ AWS KMS ‣ Azure Key Vault ‣ GCP Cloud KMS ▪ Use Transit secrets engine Shared keys Master key Encryption key 23
Copyright © 2019 HashiCorp ▪ Vault Enterprise integrates with HSM to take advantage of HSMs to provide three pieces of special functionality: ‣ Master Key Wrapping: Vault protects its master key by transiting it through the HSM for encryption rather than splitting into key shares ‣ Auto Unsealing: Vault stores its HSM-wrapped master key in storage, allowing for automatic unsealing ‣ Seal Wrapping to provide FIPS KeyStorage-conforming functionality for Critical Security Parameters HSM Support 16 24
Copyright © 2019 HashiCorp ▪ Protect encryption key with master key ▪ HSM encryption key protects master key in place of Shamir's Secret Sharing ▪ Communication with HSM via PKCS #11 API to decrypt the master key Master Key Wrapping and Auto-unseal 17 HSM key Master keys Encrypted keys PKCS11 25 PKCS#11
 Constraints 1. On-Premise Infrastructure 2. Independent from Cloud platform 3. Redundancy & Flexibility 4. Open Source/Free @bbaassssiiee 26
 Searching the internet... @bbaassssiiee 27
 @bbaassssiiee Integration ★ 6.4k ★ 41.7k ★ 9.8k ★ 19.5k ★ 18.5k★ 15k 28
@bbaassssiiee VagrantPacker Consul Vault dockpack/centos7 Image Dev Environment Clustered Storage Secrets Management 29
Keybase @bbaassssiiee • Every account has a public history • Keybase Team Trust • User-Friendly PGP Encryption • Encrypted File System KBFS • Keybase Command Line Keybase is secure messaging and file-sharing. 30
@bbaassssiiee Ansible ansible-galaxy install -r requirements.yml --- - src: brianshumate.consul - src: brianshumate.vault
 - src: leonallen22.ansible_role_keybase
 - src: dockpack.keybase_unseal • There is a lot of yaml in the galaxy • Automation after vault operator init • Automation before vault install 31
@bbaassssiiee Ansible ansible-vault encrypt /keybase/team/$KEYBASE_TEAM/vault.json export ANSIBLE_VAULT_PASSWORD_FILE=/keybase/team/$KEYBASE_TEAM/vault.pass Note: Keybase has a safe place for the ansible-vault password file: ansible-vault AES encrypted config files Transparant use in automation # This is the path where the encrypted JSON is shared. vault_credentials: "/keybase/team/{{ keybase_team }}/vault.json"
 include_vars: "{{ vault_credentials }}" 32
 --- - name: save Vault credentials as pretty JSON delegate_to: localhost run_once: true become: false no_log: true when: vault_status == '501' copy: dest: "{{ vault_credentials }}" content: "{{ inited.stdout|from_json|to_nice_json }}" mode: 0600 register: save_json tags: - init - name: encrypt pretty JSON with ansible-vault delegate_to: localhost run_once: true become: false no_log: true when: vault_status == '501' environment: # yamllint disable-line rule:line-length ANSIBLE_VAULT_PASSWORD_FILE: "{{ lookup('env','ANSIBLE_VAULT_PASSWORD_FILE') }}" command: "ansible-vault encrypt {{ vault_credentials }}" tags: - init ... kbfs.yml Encrypt^2 @bbaassssiiee 33
Keybase Auto Unseal 1.create accounts 2.create team 3.create sub-team for admins 4.add members 5.create vault.pass on KBFS 6.use role in playbook github.com/dockpack/keybase_unseal @bbaassssiiee 34
 Keybase 35
@bbaassssiiee --- shamir: true keybase_team: dockpack.vault kbt: - basmeijer - fbezema - ksatirli - ferhaty export KBT_INDEX=1 export KBT_INDEX=3 export KBT_INDEX=0 export KBT_INDEX=2 Shamir Secrets Keybase Encrypted Each Team Member sets their environment variable Define these groups_vars: 36
 --- - name: initialize Hashicorp Vault delegate_to: "{{ groups.vault_instances[0] }}" run_once: true when: vault_status == '501' no_log: true environment: VAULT_ADDR: "https://{{ groups.vault_instances[0] }}:{{ vault_port }}" VAULT_CACERT: "{{ vault_tls_config_path }}/{{ vault_tls_ca_file }}" command: | vault operator init -key-shares={{ key_shares }} -key-threshold={{ key_threshold }} -format=json -pgp-keys="keybase:{{ kbt[0] }},keybase:{{ kbt[1] }},keybase:{{ kbt[2] }},keybase:{{ kbt[3] }}" register: inited tags: - init ... shamir.yml Initialize Vault with Shamir Secrets Keybase Encrypted @bbaassssiiee 37
 --- # shamir - name: 'set kbt_index from env, rang in array of keybase team list kbt.' when: vault_status == '503' and shamir|bool delegate_to: localhost run_once: true set_fact: kbt_index: "{{ lookup('env','KBT_INDEX') }}" tags: - unseal - shamir ... teamshare unseal @bbaassssiiee Which Encrypted Shamir Unseal Key is mine? 38
 --- - name: 'decrypt unseal key based on kbt_index' when: vault_status == '503' and shamir|bool delegate_to: localhost become: false run_once: true no_log: true shell: | set -o pipefail ; ansible-vault view /keybase/team/{{ keybase_team }}/vault.json | jq -r .unseal_keys_b64[{{ kbt_index }}] | base64 --decode | gpg -d register: unseal_key tags: - unseal - shamir - name: 'unseal Hashicorp Vault with tags=unseal' when: vault_status == '503' and shamir|bool no_log: true environment: VAULT_ADDR: "https://{{ groups.vault_instances[0] }}:{{ vault_port }}" VAULT_CACERT: "{{ vault_tls_config_path }}/{{ vault_tls_ca_file }}" command: "vault operator unseal {{ unseal_key.stdout }}" tags: - unseal - shamir ... shamir unseal Unseal with my Encrypted Shamir Unseal Key @bbaassssiiee 39
? Vault Consul Shamir Keybase PGP KBFS Unseal Key Ansible Packer Vagrant Cloud HSM AWS KMS Azure Key Vault Ansible Vault Keybase Teams Blockchain IAM github.com/dockpack/vault_dojo vimeo.com/391099245 Playbook Role Root Token Unsealing Secure? Encryption learn.hashicorp.com https://github.com/dockpack/keybase_unseal/wiki @bbaassssiiee 40
@bbaassssiiee Demo  41

Empfohlen

Ansible at work
Ansible at workAnsible at work
Ansible at workBas Meijer
 
HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩smalltown
 
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...Andrey Devyatkin
 
Nomad + Flatcar: a harmonious marriage of lightweights
Nomad + Flatcar: a harmonious marriage of lightweightsNomad + Flatcar: a harmonious marriage of lightweights
Nomad + Flatcar: a harmonious marriage of lightweightsIago López Galeiras
 
Vault 1.1: Secret Caching with Vault Agent and Other New Features
Vault 1.1: Secret Caching with Vault Agent and Other New FeaturesVault 1.1: Secret Caching with Vault Agent and Other New Features
Vault 1.1: Secret Caching with Vault Agent and Other New FeaturesMitchell Pronschinske
 
Dynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningDynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningSean Chittenden
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultJeff Horwitz
 
HashiCorp's Vault - The Examples
HashiCorp's Vault - The ExamplesHashiCorp's Vault - The Examples
HashiCorp's Vault - The ExamplesMichał Czeraszkiewicz
 

Empfohlen

Ansible at work
Ansible at workAnsible at work
Ansible at workBas Meijer
 
HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩smalltown
 
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...Andrey Devyatkin
 
Nomad + Flatcar: a harmonious marriage of lightweights
Nomad + Flatcar: a harmonious marriage of lightweightsNomad + Flatcar: a harmonious marriage of lightweights
Nomad + Flatcar: a harmonious marriage of lightweightsIago López Galeiras
 
Vault 1.1: Secret Caching with Vault Agent and Other New Features
Vault 1.1: Secret Caching with Vault Agent and Other New FeaturesVault 1.1: Secret Caching with Vault Agent and Other New Features
Vault 1.1: Secret Caching with Vault Agent and Other New FeaturesMitchell Pronschinske
 
Dynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningDynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningSean Chittenden
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultJeff Horwitz
 
HashiCorp's Vault - The Examples
HashiCorp's Vault - The ExamplesHashiCorp's Vault - The Examples
HashiCorp's Vault - The ExamplesMichał Czeraszkiewicz
 
Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultAWS Germany
 
Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key ManagementAnthony Ikeda
 
A Hands-on Introduction on Terraform Best Concepts and Best Practices
A Hands-on Introduction on Terraform Best Concepts and Best Practices A Hands-on Introduction on Terraform Best Concepts and Best Practices
A Hands-on Introduction on Terraform Best Concepts and Best Practices Nebulaworks
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsDerek Downey
 
HashiCorp Vault Plugin Infrastructure
HashiCorp Vault Plugin InfrastructureHashiCorp Vault Plugin Infrastructure
HashiCorp Vault Plugin InfrastructureNicolas Corrarello
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault pptShrey Agarwal
 
Terraform - Taming Modern Clouds
Terraform - Taming Modern CloudsTerraform - Taming Modern Clouds
Terraform - Taming Modern CloudsNic Jackson
 
Unity Makes Strength
Unity Makes StrengthUnity Makes Strength
Unity Makes StrengthXavier Mertens
 
Containment without Containers: Running Windows Microservices on Nomad
Containment without Containers: Running Windows Microservices on NomadContainment without Containers: Running Windows Microservices on Nomad
Containment without Containers: Running Windows Microservices on NomadJusten Walker
 
Terraform in deployment pipeline
Terraform in deployment pipelineTerraform in deployment pipeline
Terraform in deployment pipelineAnton Babenko
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePassWill Schroeder
 
Autoscaling with hashi_corp_nomad
Autoscaling with hashi_corp_nomadAutoscaling with hashi_corp_nomad
Autoscaling with hashi_corp_nomadBram Vogelaar
 
AWS DevOps - Terraform, Docker, HashiCorp Vault
AWS DevOps - Terraform, Docker, HashiCorp VaultAWS DevOps - Terraform, Docker, HashiCorp Vault
AWS DevOps - Terraform, Docker, HashiCorp VaultGrzegorz Adamowicz
 
Designing High Availability for HashiCorp Vault in AWS
Designing High Availability for HashiCorp Vault in AWSDesigning High Availability for HashiCorp Vault in AWS
Designing High Availability for HashiCorp Vault in AWS☁ Bryan Krausen
 
Introducing Vault
Introducing VaultIntroducing Vault
Introducing VaultRamit Surana
 
Hashiconf EU 2019 - A Tour of Terraform 0.12
Hashiconf EU 2019 - A Tour of Terraform 0.12Hashiconf EU 2019 - A Tour of Terraform 0.12
Hashiconf EU 2019 - A Tour of Terraform 0.12Mitchell Pronschinske
 
How to Use HashiCorp Vault with Hiera 5 for Secret Management With Puppet
How to Use HashiCorp Vault with Hiera 5 for Secret Management With PuppetHow to Use HashiCorp Vault with Hiera 5 for Secret Management With Puppet
How to Use HashiCorp Vault with Hiera 5 for Secret Management With PuppetAmanda MacLeod
 
Agent Side Lookups with HashiCorp Vault and Puppet 6
Agent Side Lookups with HashiCorp Vault and Puppet 6Agent Side Lookups with HashiCorp Vault and Puppet 6
Agent Side Lookups with HashiCorp Vault and Puppet 6Mitchell Pronschinske
 
Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsWill Schroeder
 
An intro to Docker, Terraform, and Amazon ECS
An intro to Docker, Terraform, and Amazon ECSAn intro to Docker, Terraform, and Amazon ECS
An intro to Docker, Terraform, and Amazon ECSYevgeniy Brikman
 
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...Stenio Ferreira
 
London Hug 20/6 - Vault production
London Hug 20/6 - Vault productionLondon Hug 20/6 - Vault production
London Hug 20/6 - Vault productionLondon HashiCorp User Group
 

Weitere ähnliche Inhalte

Was ist angesagt?

Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultAWS Germany
 
Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key ManagementAnthony Ikeda
 
A Hands-on Introduction on Terraform Best Concepts and Best Practices
A Hands-on Introduction on Terraform Best Concepts and Best Practices A Hands-on Introduction on Terraform Best Concepts and Best Practices
A Hands-on Introduction on Terraform Best Concepts and Best Practices Nebulaworks
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsDerek Downey
 
HashiCorp Vault Plugin Infrastructure
HashiCorp Vault Plugin InfrastructureHashiCorp Vault Plugin Infrastructure
HashiCorp Vault Plugin InfrastructureNicolas Corrarello
 
Terraform - Taming Modern Clouds
Terraform - Taming Modern CloudsTerraform - Taming Modern Clouds
Terraform - Taming Modern CloudsNic Jackson
 
Containment without Containers: Running Windows Microservices on Nomad
Containment without Containers: Running Windows Microservices on NomadContainment without Containers: Running Windows Microservices on Nomad
Containment without Containers: Running Windows Microservices on NomadJusten Walker
 
Terraform in deployment pipeline
Terraform in deployment pipelineTerraform in deployment pipeline
Terraform in deployment pipelineAnton Babenko
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePassWill Schroeder
 
Autoscaling with hashi_corp_nomad
Autoscaling with hashi_corp_nomadAutoscaling with hashi_corp_nomad
Autoscaling with hashi_corp_nomadBram Vogelaar
 
AWS DevOps - Terraform, Docker, HashiCorp Vault
AWS DevOps - Terraform, Docker, HashiCorp VaultAWS DevOps - Terraform, Docker, HashiCorp Vault
AWS DevOps - Terraform, Docker, HashiCorp VaultGrzegorz Adamowicz
 
Designing High Availability for HashiCorp Vault in AWS
Designing High Availability for HashiCorp Vault in AWSDesigning High Availability for HashiCorp Vault in AWS
Designing High Availability for HashiCorp Vault in AWS☁ Bryan Krausen
 
Hashiconf EU 2019 - A Tour of Terraform 0.12
Hashiconf EU 2019 - A Tour of Terraform 0.12Hashiconf EU 2019 - A Tour of Terraform 0.12
Hashiconf EU 2019 - A Tour of Terraform 0.12Mitchell Pronschinske
 
How to Use HashiCorp Vault with Hiera 5 for Secret Management With Puppet
How to Use HashiCorp Vault with Hiera 5 for Secret Management With PuppetHow to Use HashiCorp Vault with Hiera 5 for Secret Management With Puppet
How to Use HashiCorp Vault with Hiera 5 for Secret Management With PuppetAmanda MacLeod
 
Agent Side Lookups with HashiCorp Vault and Puppet 6
Agent Side Lookups with HashiCorp Vault and Puppet 6Agent Side Lookups with HashiCorp Vault and Puppet 6
Agent Side Lookups with HashiCorp Vault and Puppet 6Mitchell Pronschinske
 
Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsWill Schroeder
 
An intro to Docker, Terraform, and Amazon ECS
An intro to Docker, Terraform, and Amazon ECSAn intro to Docker, Terraform, and Amazon ECS
An intro to Docker, Terraform, and Amazon ECSYevgeniy Brikman
 

Was ist angesagt? (20)

Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s Vault
 
Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key Management
 
A Hands-on Introduction on Terraform Best Concepts and Best Practices
A Hands-on Introduction on Terraform Best Concepts and Best Practices A Hands-on Introduction on Terraform Best Concepts and Best Practices
A Hands-on Introduction on Terraform Best Concepts and Best Practices
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL Secrets
 
HashiCorp Vault Plugin Infrastructure
HashiCorp Vault Plugin InfrastructureHashiCorp Vault Plugin Infrastructure
HashiCorp Vault Plugin Infrastructure
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault ppt
 
Terraform - Taming Modern Clouds
Terraform - Taming Modern CloudsTerraform - Taming Modern Clouds
Terraform - Taming Modern Clouds
 
Unity Makes Strength
Unity Makes StrengthUnity Makes Strength
Unity Makes Strength
 
Containment without Containers: Running Windows Microservices on Nomad
Containment without Containers: Running Windows Microservices on NomadContainment without Containers: Running Windows Microservices on Nomad
Containment without Containers: Running Windows Microservices on Nomad
 
Terraform in deployment pipeline
Terraform in deployment pipelineTerraform in deployment pipeline
Terraform in deployment pipeline
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePass
 
Autoscaling with hashi_corp_nomad
Autoscaling with hashi_corp_nomadAutoscaling with hashi_corp_nomad
Autoscaling with hashi_corp_nomad
 
AWS DevOps - Terraform, Docker, HashiCorp Vault
AWS DevOps - Terraform, Docker, HashiCorp VaultAWS DevOps - Terraform, Docker, HashiCorp Vault
AWS DevOps - Terraform, Docker, HashiCorp Vault
 
Designing High Availability for HashiCorp Vault in AWS
Designing High Availability for HashiCorp Vault in AWSDesigning High Availability for HashiCorp Vault in AWS
Designing High Availability for HashiCorp Vault in AWS
 
Introducing Vault
Introducing VaultIntroducing Vault
Introducing Vault
 
Hashiconf EU 2019 - A Tour of Terraform 0.12
Hashiconf EU 2019 - A Tour of Terraform 0.12Hashiconf EU 2019 - A Tour of Terraform 0.12
Hashiconf EU 2019 - A Tour of Terraform 0.12
 
How to Use HashiCorp Vault with Hiera 5 for Secret Management With Puppet
How to Use HashiCorp Vault with Hiera 5 for Secret Management With PuppetHow to Use HashiCorp Vault with Hiera 5 for Secret Management With Puppet
How to Use HashiCorp Vault with Hiera 5 for Secret Management With Puppet
 
Agent Side Lookups with HashiCorp Vault and Puppet 6
Agent Side Lookups with HashiCorp Vault and Puppet 6Agent Side Lookups with HashiCorp Vault and Puppet 6
Agent Side Lookups with HashiCorp Vault and Puppet 6
 
Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerTools
 
An intro to Docker, Terraform, and Amazon ECS
An intro to Docker, Terraform, and Amazon ECSAn intro to Docker, Terraform, and Amazon ECS
An intro to Docker, Terraform, and Amazon ECS
 

Ähnlich wie Keybase Vault Auto-Unseal HashiTalks2020

Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...Stenio Ferreira
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Hiding secrets in Vault
Hiding secrets in VaultHiding secrets in Vault
Hiding secrets in VaultNeven Rakonić
 
2018 - CertiFUNcation - Helmut Hummel: Hardening TYPO3
2018 - CertiFUNcation - Helmut Hummel: Hardening TYPO32018 - CertiFUNcation - Helmut Hummel: Hardening TYPO3
2018 - CertiFUNcation - Helmut Hummel: Hardening TYPO3TYPO3 CertiFUNcation
 
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Velocidex Enterprises
 
DEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud securityDEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud securityFelipe Prado
 
Delivering Secret Zero: Vault AppRole with Terraform and Chef
Delivering Secret Zero: Vault AppRole with Terraform and ChefDelivering Secret Zero: Vault AppRole with Terraform and Chef
Delivering Secret Zero: Vault AppRole with Terraform and ChefAmanda MacLeod
 
Defcon - Veil-Pillage
Defcon - Veil-PillageDefcon - Veil-Pillage
Defcon - Veil-PillageVeilFramework
 
Injecting Vault Secrets Into Kubernetes Pods via a Sidecar
Injecting Vault Secrets Into Kubernetes Pods via a SidecarInjecting Vault Secrets Into Kubernetes Pods via a Sidecar
Injecting Vault Secrets Into Kubernetes Pods via a SidecarMitchell Pronschinske
 
GDG Cloud Southlake 29 Jimmy Mesta OWASP Top 10 for Kubernetes
GDG Cloud Southlake 29 Jimmy Mesta OWASP Top 10 for KubernetesGDG Cloud Southlake 29 Jimmy Mesta OWASP Top 10 for Kubernetes
GDG Cloud Southlake 29 Jimmy Mesta OWASP Top 10 for KubernetesJames Anderson
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera SoftwareOWASP
 
Apache CloudStack Integration with HashiCorp Vault
Apache CloudStack Integration with HashiCorp VaultApache CloudStack Integration with HashiCorp Vault
Apache CloudStack Integration with HashiCorp VaultCloudOps2005
 
Kubernetes 101 VMworld 2019 workshop slides
Kubernetes 101 VMworld 2019 workshop slidesKubernetes 101 VMworld 2019 workshop slides
Kubernetes 101 VMworld 2019 workshop slidesSimone Morellato
 
Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...
Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...
Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...Tenchi Security
 
Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...
Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...
Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...Alexandre Sieira
 
The Container Security Checklist
The Container Security Checklist The Container Security Checklist
The Container Security Checklist LibbySchulze
 
Production ready kubernetes
Production ready kubernetesProduction ready kubernetes
Production ready kubernetesArnaud MAZIN
 
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key VaultAzure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key VaultTom Kerkhove
 
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being HackedKCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being HackedNico Meisenzahl
 

Ähnlich wie Keybase Vault Auto-Unseal HashiTalks2020 (20)

Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
 
London Hug 20/6 - Vault production
London Hug 20/6 - Vault productionLondon Hug 20/6 - Vault production
London Hug 20/6 - Vault production
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Hiding secrets in Vault
Hiding secrets in VaultHiding secrets in Vault
Hiding secrets in Vault
 
2018 - CertiFUNcation - Helmut Hummel: Hardening TYPO3
2018 - CertiFUNcation - Helmut Hummel: Hardening TYPO32018 - CertiFUNcation - Helmut Hummel: Hardening TYPO3
2018 - CertiFUNcation - Helmut Hummel: Hardening TYPO3
 
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3
 
DEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud securityDEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud security
 
Delivering Secret Zero: Vault AppRole with Terraform and Chef
Delivering Secret Zero: Vault AppRole with Terraform and ChefDelivering Secret Zero: Vault AppRole with Terraform and Chef
Delivering Secret Zero: Vault AppRole with Terraform and Chef
 
Defcon - Veil-Pillage
Defcon - Veil-PillageDefcon - Veil-Pillage
Defcon - Veil-Pillage
 
Injecting Vault Secrets Into Kubernetes Pods via a Sidecar
Injecting Vault Secrets Into Kubernetes Pods via a SidecarInjecting Vault Secrets Into Kubernetes Pods via a Sidecar
Injecting Vault Secrets Into Kubernetes Pods via a Sidecar
 
GDG Cloud Southlake 29 Jimmy Mesta OWASP Top 10 for Kubernetes
GDG Cloud Southlake 29 Jimmy Mesta OWASP Top 10 for KubernetesGDG Cloud Southlake 29 Jimmy Mesta OWASP Top 10 for Kubernetes
GDG Cloud Southlake 29 Jimmy Mesta OWASP Top 10 for Kubernetes
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software
 
Apache CloudStack Integration with HashiCorp Vault
Apache CloudStack Integration with HashiCorp VaultApache CloudStack Integration with HashiCorp Vault
Apache CloudStack Integration with HashiCorp Vault
 
Kubernetes 101 VMworld 2019 workshop slides
Kubernetes 101 VMworld 2019 workshop slidesKubernetes 101 VMworld 2019 workshop slides
Kubernetes 101 VMworld 2019 workshop slides
 
Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...
Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...
Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...
 
Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...
Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...
Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...
 
The Container Security Checklist
The Container Security Checklist The Container Security Checklist
The Container Security Checklist
 
Production ready kubernetes
Production ready kubernetesProduction ready kubernetes
Production ready kubernetes
 
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key VaultAzure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
 
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being HackedKCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
 

Mehr von Bas Meijer

Azure VM base images with Packer, Ansble and Vagrant
Azure VM base images with Packer, Ansble and VagrantAzure VM base images with Packer, Ansble and Vagrant
Azure VM base images with Packer, Ansble and VagrantBas Meijer
 
Help! My app is being featured.
Help! My app is being featured.Help! My app is being featured.
Help! My app is being featured.Bas Meijer
 
Testing with Ansible
Testing with AnsibleTesting with Ansible
Testing with AnsibleBas Meijer
 
Ansible, best practices
Ansible, best practicesAnsible, best practices
Ansible, best practicesBas Meijer
 
docker build with Ansible
docker build with Ansibledocker build with Ansible
docker build with AnsibleBas Meijer
 
Fake IT, until you make IT
Fake IT, until you make ITFake IT, until you make IT
Fake IT, until you make ITBas Meijer
 

Mehr von Bas Meijer (7)

Packer demo
Packer demoPacker demo
Packer demo
 
Azure VM base images with Packer, Ansble and Vagrant
Azure VM base images with Packer, Ansble and VagrantAzure VM base images with Packer, Ansble and Vagrant
Azure VM base images with Packer, Ansble and Vagrant
 
Help! My app is being featured.
Help! My app is being featured.Help! My app is being featured.
Help! My app is being featured.
 
Testing with Ansible
Testing with AnsibleTesting with Ansible
Testing with Ansible
 
Ansible, best practices
Ansible, best practicesAnsible, best practices
Ansible, best practices
 
docker build with Ansible
docker build with Ansibledocker build with Ansible
docker build with Ansible
 
Fake IT, until you make IT
Fake IT, until you make ITFake IT, until you make IT
Fake IT, until you make IT
 

Kürzlich hochgeladen

DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 

Kürzlich hochgeladen (20)

DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 

Keybase Vault Auto-Unseal HashiTalks2020

  • 1.  Bas Meijer Software Engineer/DevOps Coach HUG Amsterdam Co-Organizer Ansible Ambassador @bbaassssiiee 08:00 - 08:30 GMT  Friday, February 21 HashiTalks 2020 Friday, February 21 08:00 - 08:30 GMT
  • 2.  @bbaassssiiee Keybase Auto Unseal - Bas Meijer HashiTalks 2020
  • 3.  Purpose 1. Automate provisioning Vault on Consul cluster 2. Securely store the keys to the Vault kingdom 3. Enable team to unseal automatically @bbaassssiiee 3
  • 4.  Structure of this presentation • Vault setup background info • Start Vault, Initialize, Unseal • Use the CLI, UI manually • Automate and/or Secure? • A Dilemma? • Open Source Reference Project @bbaassssiiee 4
  • 5. Copyright © 2019 HashiCorp Starting the Vault Server Write a server configuration file Start the server: vault server -config=<config_file_path> Initialize the server (generate the unseal keys & an initial token) Unseal the Vault server Log in 5
  • 6. Copyright © 2019 HashiCorp ▪ Initialization is the process of configuring the Vault: ‣ Encryption key gets generated ‣ Unseal keys are created ‣ Initial root token is setup Vault Server Initialization 6
  • 7. Copyright © 2019 HashiCorp ▪ When a Vault server is started, it starts in sealed - doesn't know how to decrypt the data ▪ Unsealing is the process of constructing the master key necessary to read the decryption key to decrypt data ▪ Why? ‣ The data stored by Vault is encrypted with encryption key ‣ The encryption key is encrypted with master key ‣ The master key is NOT stored anywhere Seal / Unseal 17 7 When a Vault server is started, it starts in sealed mode - it doesn't know how to decrypt the data
  • 8. Copyright © 2019 HashiCorp Shamir's Secret Sharing 12 Master Key Encryption Key Protected by a master key Key Shares (Unseal keys) Bob James Jennifer Pam Tom A threshold of unseal keys are required to unseal Vault so that the key to the kingdom won't fall into one person's hand! Stephan Kitty Rudolf Lars Marjan [*] 8
  • 9. Copyright © 2019 HashiCorp 15 Initialize a Vault Server via CLI $ vault operator init Unseal Key 1: oL8fJP4KreJPbZWIgui340j5bNclip9zGVcYIzElsoF1 Unseal Key 2: Ke9VZlGzuVaf4HJB8c9KQR2j8rFTBALV1fD3hjE5pHoY Unseal Key 3: 4X6Ja/RpMwNabYzklZKxxXVznLQFGgSiVW7Wx8LWOkQn Unseal Key 4: dhI04g8dIQSXI11BIC6Gtwy/QaJWhVYoFYwKF9UI6axO Unseal Key 5: IQ2Ls630Sjd/oEQyTmwwpuFEUTiJP4FX2UI3uZMZoa+x Initial Root Token: s.arHAbYvyeZQH8StLc5OHtbt4 Vault initialized with 5 keys and a key threshold of 3. Please securely distribute the above keys. When the Vault is re-sealed, restarted, or stopped, you must provide at least 3 of these keys to unseal it again. ... Terminal 9
  • 10. Copyright © 2019 HashiCorp Initializing Vault (1 of 2) 22 10
  • 11. Copyright © 2019 HashiCorp Initializing Vault (2 of 2) 23 11
  • 12. Copyright © 2019 HashiCorp Initializing Vault via UI (2 of 2) 14 12
  • 13.  --- - name: initialize Hashicorp Vault delegate_to: "{{ groups.vault_instances[0] }}" run_once: true when: vault_status == '501' no_log: true environment: VAULT_ADDR: "https://{{ groups.vault_instances[0] }}:{{ vault_port }}" VAULT_CACERT: "{{ vault_tls_config_path }}/{{ vault_tls_ca_file }}" command: | vault operator init -key-shares={{ key_shares }} -key-threshold={{ key_threshold }} -format=json register: inited tags: - init ... teamshare.yml Initializing Vault via Ansible @bbaassssiiee 13
  • 14. Copyright © 2019 HashiCorp Starting the Vault Server Write a server configuration file Start the server: vault server -config=<config_file_path> Initialize the server (generate the unseal keys & an initial token) Unseal the Vault server Log in 14
  • 15. Copyright © 2019 HashiCorp Unsealing Vault 24 15
  • 16. Copyright © 2019 HashiCorp 19 Unsealing via CLI (1 of 3) $ vault operator unseal Unseal Key (will be hidden): Key Value --- ----- Seal Type shamir Initialized true Sealed true Total Shares 5 Threshold 3 Unseal Progress 1/3 Unseal Nonce 3c0b2c85-6d22-54e4-87ce-249061dd9d1c Version 1.1.0 HA Enabled false Terminal 16
  • 17. Copyright © 2019 HashiCorp 20 Unsealing via CLI (2 of 3) $ vault operator unseal Unseal Key (will be hidden): Key Value --- ----- Seal Type shamir Initialized true Sealed true Total Shares 5 Threshold 3 Unseal Progress 2/3 Unseal Nonce 3c0b2c85-6d22-54e4-87ce-249061dd9d1c Version 1.1.0 HA Enabled false Terminal 17
  • 18. Copyright © 2019 HashiCorp 21 Unsealing via CLI (3 of 3) $ vault operator unseal Unseal Key (will be hidden): Key Value --- ----- Seal Type shamir Initialized true Sealed false Total Shares 5 Threshold 3 Version 1.1.0 Cluster Name vault-cluster-ad3f168d Cluster ID 9fcbb3bc-6d9b-98f5-3f2e-a0cf1040a260 HA Enabled false Terminal 18
  • 19. Copyright © 2019 HashiCorp 21 Unsealing via CLI (3 of 3) $ vault operator unseal Unseal Key (will be hidden): Key Value --- ----- Seal Type shamir Initialized true Sealed false Total Shares 5 Threshold 3 Version 1.1.0 Cluster Name vault-cluster-ad3f168d Cluster ID 9fcbb3bc-6d9b-98f5-3f2e-a0cf1040a260 HA Enabled false Terminal Automate Unsealing with Ansible --- # teamshare - name: 'unseal Hashicorp Vault with teamshare unseal' when: vault_status == '503' and not shamir environment: VAULT_ADDR: "https://{{ groups.vault_instances[0] }}:{{ vault_port }}" VAULT_CACERT: "{{ vault_tls_config_path }}/{{ vault_tls_ca_file }}" command: "vault operator unseal {{ item }}" with_items: "{{ unseal_keys_hex }}" no_log: true tags: - unseal @bbaassssiiee19 Ansible Tip: Use this action attribute to avoid leaking sensitive information into syslog. no_log: true
  • 20. Copyright © 2019 HashiCorp Starting the Vault Server Write a server configuration file Start the server: vault server -config=<config_file_path> Initialize the server (generate the unseal keys & an initial token) Unseal the Vault server Log in 20
  • 21. Copyright © 2019 HashiCorp Vault Server Setup Workflow Recap Write a server configuration file Start the server: vault server -config=<config_file_path> Initialize the server (generate the unseal keys & an initial token) Unseal the Vault server Log in Initial Setup Only the the Vault server was restarted, or sealed intentionally Only when the Vault server was restarted, or sealed intentionally 21
  • 22. Copyright © 2019 HashiCorp Challenge 4 Unsealing process requires a threshold of unseal keys No single person holds the key to the Vault kingdom! Unsealing is a manual process and become painful when you have multiple Vault clusters 22
  • 23. Copyright © 2017 HashiCorp Auto-Unseal Vault Cloud based key Master key Encryption key ▪ Instead of using shared keys based on Shamir's Secret Sharing algorithm, use the trusted cloud-based encryption key to protect the master key ▪ Supported cloud services today: ‣ AliCloud KMS ‣ AWS KMS ‣ Azure Key Vault ‣ GCP Cloud KMS ▪ Use Transit secrets engine Shared keys Master key Encryption key 23
  • 24. Copyright © 2019 HashiCorp ▪ Vault Enterprise integrates with HSM to take advantage of HSMs to provide three pieces of special functionality: ‣ Master Key Wrapping: Vault protects its master key by transiting it through the HSM for encryption rather than splitting into key shares ‣ Auto Unsealing: Vault stores its HSM-wrapped master key in storage, allowing for automatic unsealing ‣ Seal Wrapping to provide FIPS KeyStorage-conforming functionality for Critical Security Parameters HSM Support 16 24
  • 25. Copyright © 2019 HashiCorp ▪ Protect encryption key with master key ▪ HSM encryption key protects master key in place of Shamir's Secret Sharing ▪ Communication with HSM via PKCS #11 API to decrypt the master key Master Key Wrapping and Auto-unseal 17 HSM key Master keys Encrypted keys PKCS11 25 PKCS#11
  • 26.  Constraints 1. On-Premise Infrastructure 2. Independent from Cloud platform 3. Redundancy & Flexibility 4. Open Source/Free @bbaassssiiee 26
  • 28.  @bbaassssiiee Integration ★ 6.4k ★ 41.7k ★ 9.8k ★ 19.5k ★ 18.5k★ 15k 28
  • 29. @bbaassssiiee VagrantPacker Consul Vault dockpack/centos7 Image Dev Environment Clustered Storage Secrets Management 29
  • 30. Keybase @bbaassssiiee • Every account has a public history • Keybase Team Trust • User-Friendly PGP Encryption • Encrypted File System KBFS • Keybase Command Line Keybase is secure messaging and file-sharing. 30
  • 31. @bbaassssiiee Ansible ansible-galaxy install -r requirements.yml --- - src: brianshumate.consul - src: brianshumate.vault
 - src: leonallen22.ansible_role_keybase
 - src: dockpack.keybase_unseal • There is a lot of yaml in the galaxy • Automation after vault operator init • Automation before vault install 31
  • 32. @bbaassssiiee Ansible ansible-vault encrypt /keybase/team/$KEYBASE_TEAM/vault.json export ANSIBLE_VAULT_PASSWORD_FILE=/keybase/team/$KEYBASE_TEAM/vault.pass Note: Keybase has a safe place for the ansible-vault password file: ansible-vault AES encrypted config files Transparant use in automation # This is the path where the encrypted JSON is shared. vault_credentials: "/keybase/team/{{ keybase_team }}/vault.json"
 include_vars: "{{ vault_credentials }}" 32
  • 33.  --- - name: save Vault credentials as pretty JSON delegate_to: localhost run_once: true become: false no_log: true when: vault_status == '501' copy: dest: "{{ vault_credentials }}" content: "{{ inited.stdout|from_json|to_nice_json }}" mode: 0600 register: save_json tags: - init - name: encrypt pretty JSON with ansible-vault delegate_to: localhost run_once: true become: false no_log: true when: vault_status == '501' environment: # yamllint disable-line rule:line-length ANSIBLE_VAULT_PASSWORD_FILE: "{{ lookup('env','ANSIBLE_VAULT_PASSWORD_FILE') }}" command: "ansible-vault encrypt {{ vault_credentials }}" tags: - init ... kbfs.yml Encrypt^2 @bbaassssiiee 33
  • 34. Keybase Auto Unseal 1.create accounts 2.create team 3.create sub-team for admins 4.add members 5.create vault.pass on KBFS 6.use role in playbook github.com/dockpack/keybase_unseal @bbaassssiiee 34
  • 36. @bbaassssiiee --- shamir: true keybase_team: dockpack.vault kbt: - basmeijer - fbezema - ksatirli - ferhaty export KBT_INDEX=1 export KBT_INDEX=3 export KBT_INDEX=0 export KBT_INDEX=2 Shamir Secrets Keybase Encrypted Each Team Member sets their environment variable Define these groups_vars: 36
  • 37.  --- - name: initialize Hashicorp Vault delegate_to: "{{ groups.vault_instances[0] }}" run_once: true when: vault_status == '501' no_log: true environment: VAULT_ADDR: "https://{{ groups.vault_instances[0] }}:{{ vault_port }}" VAULT_CACERT: "{{ vault_tls_config_path }}/{{ vault_tls_ca_file }}" command: | vault operator init -key-shares={{ key_shares }} -key-threshold={{ key_threshold }} -format=json -pgp-keys="keybase:{{ kbt[0] }},keybase:{{ kbt[1] }},keybase:{{ kbt[2] }},keybase:{{ kbt[3] }}" register: inited tags: - init ... shamir.yml Initialize Vault with Shamir Secrets Keybase Encrypted @bbaassssiiee 37
  • 38.  --- # shamir - name: 'set kbt_index from env, rang in array of keybase team list kbt.' when: vault_status == '503' and shamir|bool delegate_to: localhost run_once: true set_fact: kbt_index: "{{ lookup('env','KBT_INDEX') }}" tags: - unseal - shamir ... teamshare unseal @bbaassssiiee Which Encrypted Shamir Unseal Key is mine? 38
  • 39.  --- - name: 'decrypt unseal key based on kbt_index' when: vault_status == '503' and shamir|bool delegate_to: localhost become: false run_once: true no_log: true shell: | set -o pipefail ; ansible-vault view /keybase/team/{{ keybase_team }}/vault.json | jq -r .unseal_keys_b64[{{ kbt_index }}] | base64 --decode | gpg -d register: unseal_key tags: - unseal - shamir - name: 'unseal Hashicorp Vault with tags=unseal' when: vault_status == '503' and shamir|bool no_log: true environment: VAULT_ADDR: "https://{{ groups.vault_instances[0] }}:{{ vault_port }}" VAULT_CACERT: "{{ vault_tls_config_path }}/{{ vault_tls_ca_file }}" command: "vault operator unseal {{ unseal_key.stdout }}" tags: - unseal - shamir ... shamir unseal Unseal with my Encrypted Shamir Unseal Key @bbaassssiiee 39
  • 40. ? Vault Consul Shamir Keybase PGP KBFS Unseal Key Ansible Packer Vagrant Cloud HSM AWS KMS Azure Key Vault Ansible Vault Keybase Teams Blockchain IAM github.com/dockpack/vault_dojo vimeo.com/391099245 Playbook Role Root Token Unsealing Secure? Encryption learn.hashicorp.com https://github.com/dockpack/keybase_unseal/wiki @bbaassssiiee 40