2. Confidential Customized for Lorem Ipsum LLC Version 1.0
TOC
Overview
What is Vault ?
Vault Architecture
Features
Shamir’s Algorithm
Read/Write Token
Read/Write
Multiple Values
Audit
Database
Read Format
Vault UI
Commands
Installation
SSH
Policies
Telemetry
Transit
Vault Plugins
GitHub
Authentication
AWS
Authentication
Policies
Storage
Backend
Community
Use Cases
3. Overview
● Vault is a simple tool to secure your
credentials and authentication of your
organization.
● It encrypts & provides access to any
secrets.
● Every secret is associated with a lease.
Clients have to renew there secret
within the lease period.
● A secret is anything that you want to
tightly control access to, such as API
keys, passwords, certificates, and more.
4. Features
1
Secure Secret Storage: Arbitrary key/value
secrets can be stored in Vault. Vault encrypts
these secrets prior to writing them to persistent
storage, so gaining access to the raw storage
isn't enough to access your secrets. Vault can
write to disk, Consul, and more.
2
Dynamic Secrets: Vault can generate secrets
on-demand for some systems, such as AWS or
SQL databases. For example, when an
application needs to access an S3 bucket, it
asks Vault for credentials, and Vault will
generate an AWS keypair with valid
permissions on demand. After creating these
dynamic secrets, Vault will also automatically
revoke them after the lease is up.
3
Leasing and Renewal: All secrets in Vault
have a lease associated with it. At the end of
the lease, Vault will automatically revoke that
secret. Clients are able to renew leases via
built-in renew APIs.
4
Revocation: Vault has built-in support for
secret revocation. Vault can revoke not only
single secrets, but a tree of secrets, for
example all secrets read by a specific user, or
all secrets of a particular type. Revocation
assists in key rolling as well as locking down
systems in the case of an intrusion.
5. Commands
● Init - Initialize a new Vault server
● List - List data or secrets in Vault
● Token-create - Create a new auth token
● Mounts - Lists mounted backends in
Vault
● Policies - List the policies on the server
● Audit - Lists enabled audit backends in
Vault
● Ssh - Initiate an SSH session
● Rotate - Rotates the backend encryption
key used to persist data
● Unseal/Seal - Unseal/Seal Vault
6. Vault Use Case Overview
Vault
3 rd Party Tools
SSH
Transit
(Encrypt/Decrypt)
Database
Audit
Vault
9. Installation
01
Download the binary from
https://www.vaultproject.io/downloads.html
$ chmod +x vault
$ mv vault /usr/local/bin/
$ export VAULT_ADDR='http://127.0.0.1:8200'
10. Shamir's Algorithm
02
● Basically a form of secret sharing, where a secret is divided
into parts, giving each participant its own unique part,
where some of the parts or all of them are needed in order
to reconstruct the secret.
● Threshold is the number of shares you need at least in order
to recover your secret. You can restore your secret only
when you have more than or equal to the number of
threshold.
● For Vault, we split the master key into 5 shares, any 3 of
which are required to reconstruct the master key.
● For more Info:
http://kimh.github.io/blog/en/security/protect-your-sec
ret-key-with-shamirs-secret-sharing/
11. Read/Write Token
03
● Store Ramit’s (User) password under the secret/ path prefix:
$ vault write secret/ramit value=SuperSecretPassword
● Store Ramit (User) password and token:
$ vault write secret/ramit value=SuperSecretPassword token=ABCDE12345
● Read Secret for a particular user:
$ vault read secret/ramit
● Read in a particular Format:
$ vault read --format=json secret/ramit (Other format include table, yaml )
12. Read/Write Multiple Token & Password
04
● Store multiple values for any user :
$ vault write secret/password @data.json
● Read Secret of a user:
$ vault read secret/ramit
{ "key": "ramit5", "value":
"itsasecret1"}
13. Vault Audit Mechanism
05
● Enable vault audit backend :
$ vault audit-enable file file_path=/var/log/vault_audit.log
● Check the log file using:
$ sudo cat /var/log/vault_audit.log
● Any number of file audit logs can be created by enabling it with different paths.
$ vault audit-enable -path="vault_audit_1" file file_path=/home/user/vault_audit.log
● Can also enable syslog, socket:
$ vault audit-enable syslog
$ vault audit-enable socket
$ vault audit-enable socket address="127.0.0.1:9090" socket_type="tcp"
14. Vault SSH OTP Usage
06
● Mount ssh at vault
$ vault mount ssh
● Writing SSH Role with User and CIDR
$ vault write ssh/roles/otp_key_role
key_type=otp
default_user=ramit
cidr_list=192.168.x.x/y
● Configure sshd daemon in pam:
$ vim /etc/pam.d/sshd
15. Vault SSH OTP Usage
● Edit/Add the following lines in the sshd file:
@include common-auth
auth requisite pam_exec.so quiet expose_authtok log=/tmp/vault-ssh.log /opt/vault-ssh-helper
-config=/opt/config.hcl -dev
auth optional pam_unix.so not_set_pass use_first_pass nodelay
● Edit the /etc/ssh/sshd_config
PasswordAuthentication no
ChallengeResponseAuthentication yes
UsePAM yes
● Restart ssh:
$ sudo service sshd restart
● List all users in secret:
$ vault write ssh/creds/otp_key_role ip=192.168.x.x
● Try using ssh with otp from the above output:
$ ssh root@192.168.x.x
16. Vault Database
07
● Mount MySQL Database
$ vault mount database
● Vault Configure MySQL Connection:
$ vault write database/config/mysql plugin_name=mysql-database-plugin
connection_url="root:<YOUR-DB_PASSWORD>@tcp(127.0.0.1:3306)/"
allowed_roles="readonly"
● Add a role:
$ vault write database/roles/readonly db_name=mysql creation_statements
="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';
GRANT SELECT ON *.* TO '{{name}}'@'%';" default_ttl="1h"
max_ttl="24h"
● Read the credentials:
$ vault read mysql1/creds/readonly
● mysql-database-plugin
● mysql-aurora-database-plugin
● mysql-rds-database-plugin
● Mysql-legacy-database-plugin
● postgresql-database-plugin
● Mssql-database-plugin
● cassandra-database-plugin
● vault-plugin-database-oracle
● hana-database-plugin
● mongodb-database-plugin
17. Vault Database
● From the output of above command use
$ sudo mysql -u v-root-readonly-wp7sx5737ry347x1 -pA1a-7q7yxq902pwtyu89
19. Vault UI
● Built using external projects by community.
● Can be run via Docker
● $ sudo docker run -d -p 8000:8000 --name
vault-ui djenriquez/vault-ui
20. Vault Policies
● List all Policies on Vault:
$ vault policies
● Implementing (acl.hcl) on vault with name (secret):
$ vault policy-write secret acl.hcl
● Validate if the policy is implemented:
$ vault policies
● Delete Policy in Vault:
$ vault policy-delete secret
● Create a new token using a particular policy:
$ vault token-create -policy="secret"
path "sys" {
policy = "deny"
}
path "secret" {
policy = "write"
}
path "secret/foo" {
policy = "read"
}
21. Vault Telemetry
● Vault agent collects various runtime metrics about the performance of different libraries and subsystems.
● These metrics are aggregated on a 10 second interval and are retained for 1 minute.
● You'll note that log entries are prefixed with the metric type as follows:
[C] is a counter
[G] is a gauge
[S] is a summary
● For more info:
https://www.vaultproject.io/docs/internals/telemetry.html
22. Vault Transit Encryption
● It handles cryptographic functions on data in-transit.
● It encrypts data from applications while still storing that encrypted data in some primary data store.
● It can also sign and verify data; generate hashes and HMACs of data; and act as a source of random bytes.
● It allows the same key to be used for multiple purposes by deriving a new key based on a user-supplied context value.
● Mount transit on vault
$ vault mount transit
● create a named encryption key:
$ vault write -f transit/keys/foo
● Validate the key foo
$ vault read transit/keys/foo
23. Vault Transit Decryption
● Encrypt the Plain text (the quick brown fox)
echo -n "the quick brown fox" | base64 | vault write transit/encrypt/foo plaintext=-
● Decrypt
$ vault write transit/decrypt/foo
ciphertext=vault:v1:czEwyKqGZY/limnuzDCUUe5AK0tbBObWqeZgFqxCuIqq7A84SeiOq3sKD0Y/KUvv
$ echo "dGhlIHF1aWNrIGJyb3duIGZveAo=" | base64 -d
27. AWS Dynamic Authentication
● Mount AWS on Vault:
$ vault mount aws
● Vault Write AWS Creds:
$ vault write aws/config/root access_key=ABCDE1234 secret_key=1234ABCDE
● Using IAM Policy in JSON Format with policy.json :
$ vault write aws/roles/deploy policy=@policy.json
● Read & Verify the AWS tokens in Vault:
$ vault read aws/creds/deploy
● Using lease_id parameter from above in the above command:
$ vault revoke <aws/creds/deploy/185e6910-6d36-e9a6-33b3-fc8dcfd4e97c> → lease_id
{
"Version": "2012-10-17",
"Statement": [
{
"Sid":
"Stmt1426528957000",
"Effect": "Allow",
"Action": [
"ec2:*"
],
"Resource": [
"*"
]
}
]
}
28. Vault Storage Backend
● Store multiple values for any user :
$ vim vault-config.hcl
listener "tcp" {
address = "0.0.0.0:8200"
tls_cert_file="/home/ec2-user/.ssl/server.crt"
tls_key_file="/home/ec2-user/.ssl/server.key"
}
backend "s3" {
bucket = "foldername"
access_key = "xxxxxxxxxxxx"
secret_key= "xxxxxxxxxxxxxxxxxxxxxxx"
}
disable_mlock=true
● Read in a particular Format:
$ vault read --format=json secret/ramit (Other format include table, yaml )
● S3
● Dynamodb
● Azure
● CouchDB
● CockroachDB
● Etcd
● Google Cloud
● Swift
● Zookeeper
● MySQL
● FileSystem
● PostgreSQL
29. Supervisor
● Store multiple values for any user :
$ sudo apt-get install supervisor -y
● Config File:
$ vim /etc/supervisor/supervisord.conf
● List all users in secret:
$ [unix_http_server]`
- change `;chmod=0700` to `chmod=0766`
- add the following: `[program:vault]`
- add `command=vault server -config=/home/ec2-user/vault-config.hcl`
- add `user=ec2-user`
- add `environment=AWS_ACCESS_KEY_ID="<your_access_key_id",AWS_SECRET_ACCESS_KEY="<your_secret_access_key>"`
● Read in a particular Format:
$ sudo touch /etc/init.d/supervisord
30. Supervisor
● Add Supervisord with chkconfig :
$ sudo chkconfig --add supervisord
● Start Service with supervisord
sudo service supervisord start
supervisorctl
● For more info on supervisor:
https://serversforhackers.com/c/monitoring-processes-with-supervisord
31. Generating a Self Signed Certificate
● SSL uses asymmetric cryptography, commonly referred to as public key cryptography (PKI).
● With public key cryptography, two keys are created, one public, one private. Anything encrypted with
either key can only be decrypted with its corresponding key.
● Thus if a message or data stream were encrypted with the server's private key, it can be decrypted only
using its corresponding public key, ensuring that the data only could have come from the server.
● Openssl toolkit is used to generate an RSA Private Key and CSR (Certificate Signing Request). It
can also be used to generate self-signed certificates which can be used for testing purposes or internal
usage.
● Make a Directory
$ mkdir .ssl && cd .ssl
● Generate a private key with a password, 1024 bit encrypted
$ openssl genrsa -des3 -out server.key 1024
● Generate a CSR (Certificate Signing Request)
$ openssl req -new -key server.key -out server.csr
32. Generating a Self Signed Certificate (Part 2)
● Remove passphrase from the key
$ cp server.key server.key.org
$ openssl rsa -in server.key.org -out server.key
● Generate a Self-Signed Certificate
$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
● Remove Old directory
$ rm server.key.org && cd