Hashicorp Vault: Open Source Secrets Management at #OPEN18
- 2. WHAT IS A SECRET?
Security-sensitive information
Personally-identifiable information (PII)
DB User/Pass, AWS IAM Credentials, SSL Keys, Encryption Keys
Anything that would make the news
- 3. HOW DO I DISTRIBUTE SECRETS?
How do applications get secrets?
How do operators get secrets?
How do secrets get updated?
How do secrets get revoked?
- 4. VAULT GOALS
Single source for Secrets
Programmatic Application Access (Automated)
Operator Access (Manual)
Practical Security
Modern Data Center Friendly
- 5. VAULT FEATURES
Secure Secret Storage (in-memory, Consul, file, and more)
Dynamic Secrets
Leasing, Renewal, and Revocation
Auditing
Rich ACLs
Multiple Client Authentication Methods
- 10. Sealed: true
Key Shares: 10
Key Threshold: 7
Unseal Progress: 6
High-Availability Enabled: false
secure master vault status
- 12. Key (will be hidden):
Sealed: false
Key Shares: 10
Key Threshold: 7
Unseal Progress: 0
secure master vault unseal
- 13. DYNAMIC SECRETS
Never provide “root” credentials to clients
Provide limited access credentials based on role
Generated on demand when requested
Leases are enforceable via revocation
Audit trail can identify point of compromise
- 15. ## DESCRIPTION
The PostgreSQL backend dynamically generates database users.
After mounting this backend, configure it using the endpoints within
the "config/" path.
## PATHS
The following paths are supported by this backend. To view help for
any of the paths below, use the help command with any route matching
the path pattern. Note that depending on the policy of your auth token,
secure master vault help postgresql
- 21. LEASING, RENEWAL, AND REVOCATION
Every Secret has a Lease*
Secrets are revoked at the end of the lease unless renewed
Secrets may be revoked early by operators
“Break Glass” procedure
Dynamic Secrets make leases enforceable
Not possible for arbitrary secrets
Not possible for transit backend
- 23. RICH ACLS
Role Based Policies
Restrict access to “need to know”
Default Deny, must be explicitly allowed