SlideShare a Scribd company logo

The BlackBox Project: Safely store secrets in Git/Mercurial (originally for Puppet)

Tom Limoncelli
Tom Limoncelli

A presentation given at PuppetCamp NYC 2014 about why Puppet users should stop storing secrets in Git/Hg and encrypt them instead. TLDR: It enables collaboration.

Software
1 of 38
Download to read offline
The BlackBox project Safely storing secrets and credentials in Git/Mg (mostly for use by Puppet) Tom Limoncelli, SRE, StackExchange.com Blog: EverythingSysadmin.com My new book! the-cloud-book.com
StackExchange.com 125+ Q&A Communities ServerFault.com StackOverflow.com (We <3 Puppet!)
What are secrets? Anything you don’t want exposed externally. ● SSL Certificates (the private bits) ● Passwords ● API keys
Puppet manages secrets
If you store secrets in git, you’re gonna have a bad time.
● Laptops get stolen. ● Workstations have guest accounts ● Git server “Circle of Trust” includes: ○ Everyone with admin access to workstations. ■ Your desktop support people? ○ Everyone with admin access to your git server: ■ Server team, storage team, backup team ○ Everyone you collaborate with that wants read-only access to Puppet manifests.
You have 3 bad options: 1. Deny git access. (Hurts collaboration) 2. Permit git access. (Hurts security) 3. Email individual files. (Hurts… just hurts)
Option 4: Encrypt secret parts ● If a file contains secrets, encrypt before checking into Git. ● Need to edit a secret? ○ Decrypt - Edit - Encrypt
What about Puppet master? ● After “git pull”, decrypt all files. ○ Automate this as part of CI. ● Files are unencrypted “at rest”. ● This does not decrease security: ○ No worse than what we were doing before. ○ If you can break into root or puppet on the master, you’ve already won.
Easy, right? Decrypt: Encrypt:
Easy, right? Decrypt: Encrypt: ● ...and don’t make any typos when entering the command ● ...and don't accidentally check in the unencrypted version
Security is 1% technology plus 99% following the procedures correctly. Any process with more than 1 step probably won't be followed consistently most of the time. Related reading: "Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0”, Alma Whitten", Usenix Security 1999
Therefore…. we automate Introducing: Blackbox Scripts for keeping Puppet secrets in git/hg.
User commands: Decrypt for editing: Encrypt when done:
First time a file is encrypted: Enroll a file into the system:
Commands that act on all GPG files: Decrypt all files: (for use on puppet master) Re-encrypt all files: (after new users added)
Everyone has their own key This doesn’t use “symmetric encryption” where there is one passphrase to decrypt/encrypt all files. We maintain a keyring of: ● Each person that should have access. ● A key for the Puppet master.
Indoctrinate a new user: 1. New user does this: ●● ● (Currently a doc, not a script. Patches gladly accepted.)
Indoctrinate a new user: 2. Existing admin does this:
Demo: Edit a file
Demo: Edit a file
Demo: Edit a file
Demo: Edit a file
Demo: Edit a file
Demo: Edit a file
Demo: Edit a file
Code is open source as of 7/2014 ● Entirely written in bash. ● MIT License. ● Download it now: ○ https://github.com/StackExchange/blackbox
In the project’s first 9 months: StackExchange/ServerFault has eliminated plaintext secrets in our Puppet git repo. ● 7 SREs+Devs sharing the repo securely. ● 50+ files now stored encrypted. ○ Mostly SSL certs and SSH private keys. ● 40+ individual passwords/API keys: ○ Everything from SNMP communities, SaaS API keys, and many many passwords.
Future plans ❏ Open source scripts. ❏ More usability enhancements. ❏ Better setup documentation.
Join the open source project http://github.com/StackExchange/blackbox
Q&A URLs from this talk: https://github.com/StackExchange/blackbox EverythingSysadmin.com
Shameless plug Pre-order now! Save 35% Ships in September. informit.com/TPOSA Discount code TPOSA35 Read “rough cuts” today: safaribooksonline.com
Q&A URLs from this talk: https://github.com/StackExchange/blackbox EverythingSysadmin.com the-cloud-book.com informit.com/TPOSA (code TPOSA35)
Why didn’t we use eyaml? ● Easier transition. No Puppet code changes for big files like SSL certs. ● Faster. Zero run-time performance impact on master. ● eyaml didn’t exist when we started.
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for Puppet)

Recommended

Docker Ecosystem on Azure
Docker Ecosystem on AzureDocker Ecosystem on Azure
Docker Ecosystem on Azure
Patrick Chanezon
 
Monitoring Kubernetes with Prometheus
Monitoring Kubernetes with PrometheusMonitoring Kubernetes with Prometheus
Monitoring Kubernetes with Prometheus
Grafana Labs
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
Peng Xiao
 
02 api gateway
02 api gateway02 api gateway
02 api gateway
Janani Velmurugan
 
CICD Pipelines for Microservices Best Practices
CICD Pipelines for Microservices Best Practices CICD Pipelines for Microservices Best Practices
CICD Pipelines for Microservices Best Practices
Codefresh
 
Automation with ansible
Automation with ansibleAutomation with ansible
Automation with ansible
Khizer Naeem
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security Journey
Jerry Jalava
 
Building .NET Microservices
Building .NET MicroservicesBuilding .NET Microservices
Building .NET Microservices
VMware Tanzu
 

Recommended

Docker Ecosystem on Azure
Docker Ecosystem on AzureDocker Ecosystem on Azure
Docker Ecosystem on Azure
Patrick Chanezon
 
Monitoring Kubernetes with Prometheus
Monitoring Kubernetes with PrometheusMonitoring Kubernetes with Prometheus
Monitoring Kubernetes with Prometheus
Grafana Labs
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
Peng Xiao
 
02 api gateway
02 api gateway02 api gateway
02 api gateway
Janani Velmurugan
 
CICD Pipelines for Microservices Best Practices
CICD Pipelines for Microservices Best Practices CICD Pipelines for Microservices Best Practices
CICD Pipelines for Microservices Best Practices
Codefresh
 
Automation with ansible
Automation with ansibleAutomation with ansible
Automation with ansible
Khizer Naeem
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security Journey
Jerry Jalava
 
Building .NET Microservices
Building .NET MicroservicesBuilding .NET Microservices
Building .NET Microservices
VMware Tanzu
 
Azure Fundamentals || AZ-900
Azure Fundamentals || AZ-900Azure Fundamentals || AZ-900
Azure Fundamentals || AZ-900
thisiswali
 
Docker Container Security
Docker Container SecurityDocker Container Security
Docker Container Security
Suraj Khetani
 
PostgreSQL 12 New Features with Examples (English) GA
PostgreSQL 12 New Features with Examples (English) GAPostgreSQL 12 New Features with Examples (English) GA
PostgreSQL 12 New Features with Examples (English) GA
Noriyoshi Shinoda
 
From Zero to Spring Boot Hero with GitHub Codespaces
From Zero to Spring Boot Hero with GitHub CodespacesFrom Zero to Spring Boot Hero with GitHub Codespaces
From Zero to Spring Boot Hero with GitHub Codespaces
VMware Tanzu
 
Continuous Delivery
Continuous DeliveryContinuous Delivery
Continuous Delivery
Mike McGarr
 
AKS
AKSAKS
AKS
girish goudar
 
Kubernetes #1 intro
Kubernetes #1 introKubernetes #1 intro
Kubernetes #1 intro
Terry Cho
 
Introduction to ansible
Introduction to ansibleIntroduction to ansible
Introduction to ansible
Omid Vahdaty
 
Introduction to Swagger
Introduction to SwaggerIntroduction to Swagger
Introduction to Swagger
Knoldus Inc.
 
Monitor Azure HDInsight with Azure Log Analytics
Monitor Azure HDInsight with Azure Log AnalyticsMonitor Azure HDInsight with Azure Log Analytics
Monitor Azure HDInsight with Azure Log Analytics
Ashish Thapliyal
 
Jenkins tutorial
Jenkins tutorialJenkins tutorial
Jenkins tutorial
HarikaReddy115
 
Azure Data Storage
Azure Data StorageAzure Data Storage
Azure Data Storage
Ken Cenerelli
 
AWS DevOps - Terraform, Docker, HashiCorp Vault
AWS DevOps - Terraform, Docker, HashiCorp VaultAWS DevOps - Terraform, Docker, HashiCorp Vault
AWS DevOps - Terraform, Docker, HashiCorp Vault
Grzegorz Adamowicz
 
KFServing - Serverless Model Inferencing
KFServing - Serverless Model InferencingKFServing - Serverless Model Inferencing
KFServing - Serverless Model Inferencing
Animesh Singh
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container security
John Kinsella
 
Slide DevSecOps Microservices
Slide DevSecOps Microservices Slide DevSecOps Microservices
Slide DevSecOps Microservices
Hendri Karisma
 
Gitlab, GitOps & ArgoCD
Gitlab, GitOps & ArgoCDGitlab, GitOps & ArgoCD
Gitlab, GitOps & ArgoCD
Haggai Philip Zagury
 
Azure kubernetes service (aks)
Azure kubernetes service (aks)Azure kubernetes service (aks)
Azure kubernetes service (aks)
Akash Agrawal
 
CI/CD with Github Actions
CI/CD with Github ActionsCI/CD with Github Actions
CI/CD with Github Actions
Md. Minhazul Haque
 
Designing a complete ci cd pipeline using argo events, workflow and cd products
Designing a complete ci cd pipeline using argo events, workflow and cd productsDesigning a complete ci cd pipeline using argo events, workflow and cd products
Designing a complete ci cd pipeline using argo events, workflow and cd products
Julian Mazzitelli
 
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...
Puppet
 
Blackbox marketing 2011 v2pdf
Blackbox marketing 2011 v2pdfBlackbox marketing 2011 v2pdf
Blackbox marketing 2011 v2pdf
Meher Khan
 

More Related Content

What's hot

What's hot (20)

Azure Fundamentals || AZ-900
Azure Fundamentals || AZ-900Azure Fundamentals || AZ-900
Azure Fundamentals || AZ-900
 
Docker Container Security
Docker Container SecurityDocker Container Security
Docker Container Security
 
PostgreSQL 12 New Features with Examples (English) GA
PostgreSQL 12 New Features with Examples (English) GAPostgreSQL 12 New Features with Examples (English) GA
PostgreSQL 12 New Features with Examples (English) GA
 
From Zero to Spring Boot Hero with GitHub Codespaces
From Zero to Spring Boot Hero with GitHub CodespacesFrom Zero to Spring Boot Hero with GitHub Codespaces
From Zero to Spring Boot Hero with GitHub Codespaces
 
Continuous Delivery
Continuous DeliveryContinuous Delivery
Continuous Delivery
 
AKS
AKSAKS
AKS
 
Kubernetes #1 intro
Kubernetes #1 introKubernetes #1 intro
Kubernetes #1 intro
 
Introduction to ansible
Introduction to ansibleIntroduction to ansible
Introduction to ansible
 
Introduction to Swagger
Introduction to SwaggerIntroduction to Swagger
Introduction to Swagger
 
Monitor Azure HDInsight with Azure Log Analytics
Monitor Azure HDInsight with Azure Log AnalyticsMonitor Azure HDInsight with Azure Log Analytics
Monitor Azure HDInsight with Azure Log Analytics
 
Jenkins tutorial
Jenkins tutorialJenkins tutorial
Jenkins tutorial
 
Azure Data Storage
Azure Data StorageAzure Data Storage
Azure Data Storage
 
AWS DevOps - Terraform, Docker, HashiCorp Vault
AWS DevOps - Terraform, Docker, HashiCorp VaultAWS DevOps - Terraform, Docker, HashiCorp Vault
AWS DevOps - Terraform, Docker, HashiCorp Vault
 
KFServing - Serverless Model Inferencing
KFServing - Serverless Model InferencingKFServing - Serverless Model Inferencing
KFServing - Serverless Model Inferencing
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container security
 
Slide DevSecOps Microservices
Slide DevSecOps Microservices Slide DevSecOps Microservices
Slide DevSecOps Microservices
 
Gitlab, GitOps & ArgoCD
Gitlab, GitOps & ArgoCDGitlab, GitOps & ArgoCD
Gitlab, GitOps & ArgoCD
 
Azure kubernetes service (aks)
Azure kubernetes service (aks)Azure kubernetes service (aks)
Azure kubernetes service (aks)
 
CI/CD with Github Actions
CI/CD with Github ActionsCI/CD with Github Actions
CI/CD with Github Actions
 
Designing a complete ci cd pipeline using argo events, workflow and cd products
Designing a complete ci cd pipeline using argo events, workflow and cd productsDesigning a complete ci cd pipeline using argo events, workflow and cd products
Designing a complete ci cd pipeline using argo events, workflow and cd products
 

Viewers also liked

Blackbox marketing 2011 v2pdf
Blackbox marketing 2011 v2pdfBlackbox marketing 2011 v2pdf
Blackbox marketing 2011 v2pdf
Meher Khan
 
Black Box for Machine Tools; Based on Open CNC Architecture Control Systems
Black Box for Machine Tools; Based on Open CNC Architecture Control SystemsBlack Box for Machine Tools; Based on Open CNC Architecture Control Systems
Black Box for Machine Tools; Based on Open CNC Architecture Control Systems
IDES Editor
 
Blackbox(englisch)
Blackbox(englisch)Blackbox(englisch)
Blackbox(englisch)
Friedrich Kreuzeder
 
LATEST EMBEDDED PROJECTS TITLES-COCKPIT WHITE BOX AUTOMATION(ECE/EEE/E&I)
LATEST EMBEDDED PROJECTS TITLES-COCKPIT WHITE BOX AUTOMATION(ECE/EEE/E&I)LATEST EMBEDDED PROJECTS TITLES-COCKPIT WHITE BOX AUTOMATION(ECE/EEE/E&I)
LATEST EMBEDDED PROJECTS TITLES-COCKPIT WHITE BOX AUTOMATION(ECE/EEE/E&I)
ASHOKKUMAR RAMAR
 
ECE PROJECTS ABSTRACT-COCKPIT WHITE BOX AUTOMATION SYSTEMS-AVIONICS/EMBEDDED
ECE PROJECTS ABSTRACT-COCKPIT WHITE BOX AUTOMATION SYSTEMS-AVIONICS/EMBEDDEDECE PROJECTS ABSTRACT-COCKPIT WHITE BOX AUTOMATION SYSTEMS-AVIONICS/EMBEDDED
ECE PROJECTS ABSTRACT-COCKPIT WHITE BOX AUTOMATION SYSTEMS-AVIONICS/EMBEDDED
ASHOKKUMAR RAMAR
 
Packet sniffers
Packet sniffersPacket sniffers
Packet sniffers
Wanwen Wen
 
Blackbox security white paper april 27, 2012
Blackbox security white paper april 27, 2012Blackbox security white paper april 27, 2012
Blackbox security white paper april 27, 2012
Grapeshot
 

Viewers also liked (20)

Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...
 
Blackbox marketing 2011 v2pdf
Blackbox marketing 2011 v2pdfBlackbox marketing 2011 v2pdf
Blackbox marketing 2011 v2pdf
 
Stealing the Best Ideas from DevOps: A Guide for Sysadmins without Developers
Stealing the Best Ideas from DevOps: A Guide for Sysadmins without DevelopersStealing the Best Ideas from DevOps: A Guide for Sysadmins without Developers
Stealing the Best Ideas from DevOps: A Guide for Sysadmins without Developers
 
Black Box for Machine Tools; Based on Open CNC Architecture Control Systems
Black Box for Machine Tools; Based on Open CNC Architecture Control SystemsBlack Box for Machine Tools; Based on Open CNC Architecture Control Systems
Black Box for Machine Tools; Based on Open CNC Architecture Control Systems
 
Blackbox(englisch)
Blackbox(englisch)Blackbox(englisch)
Blackbox(englisch)
 
LATEST EMBEDDED PROJECTS TITLES-COCKPIT WHITE BOX AUTOMATION(ECE/EEE/E&I)
LATEST EMBEDDED PROJECTS TITLES-COCKPIT WHITE BOX AUTOMATION(ECE/EEE/E&I)LATEST EMBEDDED PROJECTS TITLES-COCKPIT WHITE BOX AUTOMATION(ECE/EEE/E&I)
LATEST EMBEDDED PROJECTS TITLES-COCKPIT WHITE BOX AUTOMATION(ECE/EEE/E&I)
 
ECE PROJECTS ABSTRACT-COCKPIT WHITE BOX AUTOMATION SYSTEMS-AVIONICS/EMBEDDED
ECE PROJECTS ABSTRACT-COCKPIT WHITE BOX AUTOMATION SYSTEMS-AVIONICS/EMBEDDEDECE PROJECTS ABSTRACT-COCKPIT WHITE BOX AUTOMATION SYSTEMS-AVIONICS/EMBEDDED
ECE PROJECTS ABSTRACT-COCKPIT WHITE BOX AUTOMATION SYSTEMS-AVIONICS/EMBEDDED
 
Packet sniffers
Packet sniffersPacket sniffers
Packet sniffers
 
Ceh v8 labs module 08 sniffers
Ceh v8 labs module 08 sniffersCeh v8 labs module 08 sniffers
Ceh v8 labs module 08 sniffers
 
"Black Box for a Car" report
"Black Box for a Car" report"Black Box for a Car" report
"Black Box for a Car" report
 
Cellonics-Seminar-Report[1]
Cellonics-Seminar-Report[1]Cellonics-Seminar-Report[1]
Cellonics-Seminar-Report[1]
 
Pia Intership Report
Pia Intership ReportPia Intership Report
Pia Intership Report
 
Blackbox security white paper april 27, 2012
Blackbox security white paper april 27, 2012Blackbox security white paper april 27, 2012
Blackbox security white paper april 27, 2012
 
HAAPS Report
HAAPS ReportHAAPS Report
HAAPS Report
 
Black box
Black boxBlack box
Black box
 
Application of Composite Material in Aerospace Industry
Application of Composite Material in Aerospace IndustryApplication of Composite Material in Aerospace Industry
Application of Composite Material in Aerospace Industry
 
HAAPS Technology
HAAPS TechnologyHAAPS Technology
HAAPS Technology
 
AIRCRAFT PROPULSION SYSTEM seminar report
AIRCRAFT PROPULSION SYSTEM seminar reportAIRCRAFT PROPULSION SYSTEM seminar report
AIRCRAFT PROPULSION SYSTEM seminar report
 
Sniffer for Detecting Lost Mobile
Sniffer for Detecting Lost MobileSniffer for Detecting Lost Mobile
Sniffer for Detecting Lost Mobile
 
Black box of Aircraft
Black box of AircraftBlack box of Aircraft
Black box of Aircraft
 

Similar to The BlackBox Project: Safely store secrets in Git/Mercurial (originally for Puppet)

The Listening: Email Client Backdoor
The Listening: Email Client BackdoorThe Listening: Email Client Backdoor
The Listening: Email Client Backdoor
Michael Scovetta
 
Can Kubernetes Keep a Secret?
Can Kubernetes Keep a Secret?Can Kubernetes Keep a Secret?
Can Kubernetes Keep a Secret?
Soluto
 
OSDC 2016 - Continous Integration in Data Centers - Further 3 Years later by ...
OSDC 2016 - Continous Integration in Data Centers - Further 3 Years later by ...OSDC 2016 - Continous Integration in Data Centers - Further 3 Years later by ...
OSDC 2016 - Continous Integration in Data Centers - Further 3 Years later by ...
NETWAYS
 
HKG18-203 - Overview of Linaro DRM
HKG18-203 - Overview of Linaro DRMHKG18-203 - Overview of Linaro DRM
HKG18-203 - Overview of Linaro DRM
Linaro
 
A "Box" Full of Tools and Distros
A "Box" Full of Tools and DistrosA "Box" Full of Tools and Distros
A "Box" Full of Tools and Distros
Dario Faggioli
 

Similar to The BlackBox Project: Safely store secrets in Git/Mercurial (originally for Puppet) (20)

The Listening: Email Client Backdoor
The Listening: Email Client BackdoorThe Listening: Email Client Backdoor
The Listening: Email Client Backdoor
 
Pentester++
Pentester++Pentester++
Pentester++
 
Git ongithub
Git ongithubGit ongithub
Git ongithub
 
Linux Security and How Web Browser Sandboxes Really Work (NDC Oslo 2017)
Linux Security and How Web Browser Sandboxes Really Work (NDC Oslo 2017)Linux Security and How Web Browser Sandboxes Really Work (NDC Oslo 2017)
Linux Security and How Web Browser Sandboxes Really Work (NDC Oslo 2017)
 
12 tricks to avoid hackers breaks your CI / CD
12 tricks to avoid hackers breaks your CI / CD12 tricks to avoid hackers breaks your CI / CD
12 tricks to avoid hackers breaks your CI / CD
 
Us 17-krug-hacking-severless-runtimes
Us 17-krug-hacking-severless-runtimesUs 17-krug-hacking-severless-runtimes
Us 17-krug-hacking-severless-runtimes
 
Can Kubernetes Keep a Secret?
Can Kubernetes Keep a Secret?Can Kubernetes Keep a Secret?
Can Kubernetes Keep a Secret?
 
Detecting secrets in code committed to gitlab (in real time)
Detecting secrets in code committed to gitlab (in real time)Detecting secrets in code committed to gitlab (in real time)
Detecting secrets in code committed to gitlab (in real time)
 
OSDC 2016 - Continous Integration in Data Centers - Further 3 Years later by ...
OSDC 2016 - Continous Integration in Data Centers - Further 3 Years later by ...OSDC 2016 - Continous Integration in Data Centers - Further 3 Years later by ...
OSDC 2016 - Continous Integration in Data Centers - Further 3 Years later by ...
 
Defense in Depth: Securing your new Kubernetes cluster from the challenges th...
Defense in Depth: Securing your new Kubernetes cluster from the challenges th...Defense in Depth: Securing your new Kubernetes cluster from the challenges th...
Defense in Depth: Securing your new Kubernetes cluster from the challenges th...
 
HKG18-203 - Overview of Linaro DRM
HKG18-203 - Overview of Linaro DRMHKG18-203 - Overview of Linaro DRM
HKG18-203 - Overview of Linaro DRM
 
Introduction to Exploitation
Introduction to ExploitationIntroduction to Exploitation
Introduction to Exploitation
 
My "Perfect" Toolchain Setup for Grails Projects
My "Perfect" Toolchain Setup for Grails ProjectsMy "Perfect" Toolchain Setup for Grails Projects
My "Perfect" Toolchain Setup for Grails Projects
 
Chapter 4 access control fundamental ii
Chapter 4 access control fundamental iiChapter 4 access control fundamental ii
Chapter 4 access control fundamental ii
 
A "Box" Full of Tools and Distros
A "Box" Full of Tools and DistrosA "Box" Full of Tools and Distros
A "Box" Full of Tools and Distros
 
X page developer
X page developerX page developer
X page developer
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014
 
Git slides
Git slidesGit slides
Git slides
 
Remote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profitRemote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profit
 
Sonatype DevSecOps Leadership forum 2020
Sonatype DevSecOps Leadership forum 2020Sonatype DevSecOps Leadership forum 2020
Sonatype DevSecOps Leadership forum 2020
 

Recently uploaded

CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
masabamasaba
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
masabamasaba
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
 

Recently uploaded (20)

CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdf
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
 
SHRMPro HRMS Software Solutions Presentation
SHRMPro HRMS Software Solutions PresentationSHRMPro HRMS Software Solutions Presentation
SHRMPro HRMS Software Solutions Presentation
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
Generic or specific? Making sensible software design decisions
Generic or specific? Making sensible software design decisionsGeneric or specific? Making sensible software design decisions
Generic or specific? Making sensible software design decisions
 
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare
 

The BlackBox Project: Safely store secrets in Git/Mercurial (originally for Puppet)

  • 1. The BlackBox project Safely storing secrets and credentials in Git/Mg (mostly for use by Puppet) Tom Limoncelli, SRE, StackExchange.com Blog: EverythingSysadmin.com My new book! the-cloud-book.com
  • 2. StackExchange.com 125+ Q&A Communities ServerFault.com StackOverflow.com (We <3 Puppet!)
  • 3. What are secrets? Anything you don’t want exposed externally. ● SSL Certificates (the private bits) ● Passwords ● API keys
  • 5.
  • 6. If you store secrets in git, you’re gonna have a bad time.
  • 7. ● Laptops get stolen. ● Workstations have guest accounts ● Git server “Circle of Trust” includes: ○ Everyone with admin access to workstations. ■ Your desktop support people? ○ Everyone with admin access to your git server: ■ Server team, storage team, backup team ○ Everyone you collaborate with that wants read-only access to Puppet manifests.
  • 8. You have 3 bad options: 1. Deny git access. (Hurts collaboration) 2. Permit git access. (Hurts security) 3. Email individual files. (Hurts… just hurts)
  • 9. Option 4: Encrypt secret parts ● If a file contains secrets, encrypt before checking into Git. ● Need to edit a secret? ○ Decrypt - Edit - Encrypt
  • 10. What about Puppet master? ● After “git pull”, decrypt all files. ○ Automate this as part of CI. ● Files are unencrypted “at rest”. ● This does not decrease security: ○ No worse than what we were doing before. ○ If you can break into root or puppet on the master, you’ve already won.
  • 12. Easy, right? Decrypt: Encrypt: ● ...and don’t make any typos when entering the command ● ...and don't accidentally check in the unencrypted version
  • 13. Security is 1% technology plus 99% following the procedures correctly. Any process with more than 1 step probably won't be followed consistently most of the time. Related reading: "Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0”, Alma Whitten", Usenix Security 1999
  • 14. Therefore…. we automate Introducing: Blackbox Scripts for keeping Puppet secrets in git/hg.
  • 15. User commands: Decrypt for editing: Encrypt when done:
  • 16. First time a file is encrypted: Enroll a file into the system:
  • 17. Commands that act on all GPG files: Decrypt all files: (for use on puppet master) Re-encrypt all files: (after new users added)
  • 18. Everyone has their own key This doesn’t use “symmetric encryption” where there is one passphrase to decrypt/encrypt all files. We maintain a keyring of: ● Each person that should have access. ● A key for the Puppet master.
  • 19. Indoctrinate a new user: 1. New user does this: ●● ● (Currently a doc, not a script. Patches gladly accepted.)
  • 20. Indoctrinate a new user: 2. Existing admin does this:
  • 21. Demo: Edit a file
  • 22. Demo: Edit a file
  • 23. Demo: Edit a file
  • 24. Demo: Edit a file
  • 25. Demo: Edit a file
  • 26. Demo: Edit a file
  • 27. Demo: Edit a file
  • 28.
  • 29.
  • 30. Code is open source as of 7/2014 ● Entirely written in bash. ● MIT License. ● Download it now: ○ https://github.com/StackExchange/blackbox
  • 31. In the project’s first 9 months: StackExchange/ServerFault has eliminated plaintext secrets in our Puppet git repo. ● 7 SREs+Devs sharing the repo securely. ● 50+ files now stored encrypted. ○ Mostly SSL certs and SSH private keys. ● 40+ individual passwords/API keys: ○ Everything from SNMP communities, SaaS API keys, and many many passwords.
  • 32. Future plans ❏ Open source scripts. ❏ More usability enhancements. ❏ Better setup documentation.
  • 33. Join the open source project http://github.com/StackExchange/blackbox
  • 34. Q&A URLs from this talk: https://github.com/StackExchange/blackbox EverythingSysadmin.com
  • 35. Shameless plug Pre-order now! Save 35% Ships in September. informit.com/TPOSA Discount code TPOSA35 Read “rough cuts” today: safaribooksonline.com
  • 36. Q&A URLs from this talk: https://github.com/StackExchange/blackbox EverythingSysadmin.com the-cloud-book.com informit.com/TPOSA (code TPOSA35)
  • 37. Why didn’t we use eyaml? ● Easier transition. No Puppet code changes for big files like SSL certs. ● Faster. Zero run-time performance impact on master. ● eyaml didn’t exist when we started.